If your ftp server is behind a NAT router, the regular ftps configuration steps you find in most tutorials in the Internet may not work for you. Hope these steps help.

1. Chroot (chain or jail) users to their home directory by adding the line below to proftpd.conf

DefaultRoot ~

2. Generate certificate keys, in this case, in the directory /etc/proftpd/ssl/

$openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/server.cert.pem -keyout /etc/proftpd/ssl/server.key.pem

3. Add this lines to proftpd.conf

TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on

4. Allow a range of passive ports to be forwarded to your ftp server by the firewall and set those ports in your ftp config file – proftpd.conf in this case.

PassivePorts 60000 60100

5. Masquerade the ftp server’s address to the external IP of the NAT server/router.

MasqueradeAddress x.x.x.x