Connecting a Fritz!box router with a site-to-site (aka LAN to LAN) VPN is not supported directly within the standard user interface. It is however possible with some advanced configuration. This process is to connect in a LAN-to-LAN configuration to a SOPHOS XG UTM.

This article, in German with English translation further down the page, describes the process:


Both sites should have a real public IP address, not CG-NAT and preferably static.

You can use a DynDNS but if the ISP uses CG-NAT  (2degrees, MyRepublic some Trustpower etc) then you will need to get a static IP to avoid CG-NAT.

It is best to disable the requirement for button push on the Fritz!box when changing advanced settings especially if administering the Fritz!box remotely.

Download the VPN config tool from and install on PC.

Make a config for a Fritz!box - Fritz!box VPN and export out the config files.

You only need the file from the client end. It will not work until you edit the file as per the article above but you need the file generated by the config tool so that its got the right syntax/headers/layout that the Fritz!box will recognise and accept.

Edit the file.

Set up the Sophos side as per usual and make the policy for this connection. Note the DH1024 limitation in the Fritz!box.

Activate on Sophos side.

Import the connection file into the Fritz!box and it will activate it immediately.

You should be able to ping the remote LAN straight away. DNS name resolution of remote servers may require editing the hosts file on client devices on the Fritz!box LAN side.

Attached here is a sample Fritz!box config file which can be edited with connection specific IP addresses and PSK.