You can setup the wireguard tunnel as usual. Create the server and client configuration. Then you'll add the routing for the lan subnets to achieve the site to site tunnel. For the first part you don't need much on the firewalls, only to allow the incoming traffic on vm2 wan firewall. When vm1 is migrated to another site you'll need to allow incoming traffic on its wan zone and make sure that one wan can reach the other, maybe ddns will need to be utilized in case of dynamic IP.