Connectivity from a HA secondary node through VPN on primary node

[crlt]

I have two HA/CARP opnsense setups connected through a site to site Wireguard VPN. Since the Wireguard tunnel is only up on the active firewall, I cannot access the tunnel from the secondary/backup node. If I try to initiate a ping from the backup node at one site to the primary node at the other site, it does not work (ping: sendto: No route to host).

What is the best way to address this? Last I checked we couldn't assign a virtual IP to a wireguard interface.

I have an outbound rule so that VPN clients can access the backup node but I'm not sure how to go about it when the traffic is initiated at the backup node itself.

[bimbar]

This might best be solved by dynamic routing.

[crlt]

Any pointers on what such a rule would look like and how to get started? I'm not familiar with dynamic routing and it sounds like quite a lift when my main purpose is to just get logging/backups from the firewalls to opposite sites.

If IPSEC supports binding to a CARP VIP, would it just be simpler to move my site to site tunnels from wireguard to IPSEC?