Failover with VPN Tunnel

[DeeGee]

I've got some local failover using CARP/VIP with my two Opnsenses. Now I'd like to expand this to also get the VPN connectivity to also fail over. Right now it depends on LocalOpn1 to be up. I'm using Wireguard for VPN.

RemotePf1:
LAN IPv4: 192.168.20.1/24
LAN IPv6: 2000:abc:1111::1/64
This machine is also routing the whole 2000:abc::/56

LocalOpn1 (primary):
LAN IPv4: 192.168.5.254/24
LAN IPv6: 2000:abc:2222::254/64

LocalOpn2 (backup):
LAN IPv4: 192.168.5.253/24
LAN IPv6: 2000:abc:2222::253/64

LocalOpn1 gets a /60-net from RemotePf1's /56-net.
I use CARP/VIP on the two locals to assign them 192.168.5.1 and 2000:abc:2222::1
RemotePf1 is the exit node for all IPv6 traffic.

How can I get this two-to-one VPN setup to work?

[DeeGee]

For anyone running into this thread, I ended up using a single tunnel instead of two and turning it off/on using hooks as mentioned by spali and jprenken in https://forum.opnsense.org/index.php?topic=25993.0 and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573.