System administration

Bullshit with vsftpd on ubuntu?

I've already broken my head. I need to raise ftp in the corporate network. Installed on ubuntu vsftpd config below. Everything works fine inside the network, remote offices that are connected via openvpn tunnel by entering ftp://10.49.1.*** in the explorer get an error

I don't have access to the folder make sure the filename is correct and you have access
Even it doesn't ask for a password

The computer with vsftpd is located behind nat (ubuntu gateway) on it is ipfilter.
Although at the same time, another subnet also connects normally via openvpn.
Here is the config:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=023
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=admin
xferlog_file=/var/log/vsftpd.log
#ascii_upload_enable=YES
#ascii_enable YES
chroot_local_user=YES
allow_writeable_chroot=YES
chroot_local_user=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=YES
pasv_min_port= 50000
pasv_max_port=60000
pasv_address=213.108.**

Here is the iptables config

#ftp
iptables -A FORWARD -d 10.49.1.166 -p tcp -m multiport --ports 20:21 -j ACCEPT
iptables -A FORWARD -i 213.108.**.*** -p tcp -d 10.49.1.* ** -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 50000:60000 -m conntrack --ctstate NEW -j ACCEPT
$ip -A FORWARD -s 10.49.1.166 -p tcp -m multiport --ports 50000:60000 -j ACCEPT
#iptables -t nat -A POSTROUTING -o $EXT_IF1 -j SNAT --to-source $EXT_IP1

Yes, wireshark at the client shows that the connection goes to dst port 32966 for some reason.
In the logs, there are no clients at all that cannot connect. telnet from the client does not work either. Passes telnet from gateways behind which clients
Thank you for your support