Wireguard road warrior HA

I’m migrating from a single vyos to a pair running vrrp, conntrack-sync and dhcp sync.
The only thing left to migrate is wireguard. Originally I thought I’d deploy the same wireguard config to both nodes, share the key between them, and use vrrp for the wireguard endpoint address.

If the nodes have seperate IP addresses on the wg subnet, otherwise same wg config and key, can I configure a vrrp using wg0 interface and a virtual-address which will be the endpoint used by peers to connect?

Plan B would be to have exactly the same config on both nodes, but disable the wg interface on the standby and use vrrp transition scripts to enable/disable the wg interfaces as required.

Any suggestions which is better, or even a different idea?

In 1.4 you can set virtual address on any interface (even not VRRP)

set high-availability vrrp group foo address interface xxx

Tested it on 1.3.2 and I can configure vrrp for the wireguard wg0 interface. I can’t use rfc 3768 since the wireguard interface doesn’t support it, so the virtual-ip becomes an alias on the wg0 interface.

If I bring up the tunnel, with vrrp virtual IP as endpoint, wg sets the endpoint to the IP address on the physical interface connected to the switch instead of the virtual IP. I assume the wireguard “server” receives initial packets on wg0 virtual ip address but replies with source IP of the physical address and wg sees that and updates the endpoint address. Because that endpoint address is within AllowedIps for the wg network nothing can flow through the tunnel.

Is there a simple way to force wireguard response packets to have the source address of the vrrp virtual ip?

I’ll probably just configure wireguard on both routers, no vrrp, and let VRRP transition scipts disable the wg0 interface on the current BACKUP and enable it on MASTER.

A simple (and ugly!) way could be the use of sNAT rule