PF Wireguard bind outgoing packets to virtual IP

Let's say you have unit1 with master IP 1.1.1.5 and unit2 with master IP 1.1.1.9 and a floating IP 1.1.1.7 which is only owned by the active unit. By default, wireguard packets leaving the firewall are sourced from the highest interface IP which would break when the floating IP is moving from unit 1 to 2.

Is there a way to use PF to force wireguard to reply sourced from the correct IP in CARP scenarios?
 
Bind wireguard to the VIP address instead of 0.0.0.0 or *.
 
Back
Top