Connectivity from a HA secondary node through VPN on primary node

[crlt]

I have two HA/CARP opnsense setups connected through a site to site Wireguard VPN. Since the Wireguard tunnel is only up on the active firewall, I cannot access the tunnel from the secondary/backup node. If I try to initiate a ping from the backup node at one site to the primary node at the other site, it does not work (ping: sendto: No route to host).

What is the best way to address this? Last I checked we couldn't assign a virtual IP to a wireguard interface.

I have an outbound rule so that VPN clients can access the backup node but I'm not sure how to go about it when the traffic is initiated at the backup node itself.

[bimbar]

This might best be solved by dynamic routing.