We will configure the IPSEC VPN using WAN1 back to HQ, and enable it. Question is, how do we set the traffic from 10.12.2.0/24 to use WAN2 all the time, unless WAN2 down, only it use the VPN on WAN1.
And we have another subnet internally at Branch Office B, 10.13.2.0/24 , the guest network, will always use WAN1 to internet only.
Traditional IPSEC VPN and WAN router is not able to achieve your fail-over requirement. HQ router playing a main roles here for the traffics routing between the VPN & WAN traffics.
This have been well explained in the Hybrid WAN Best Practice example whereby HQ also require a Peplink Router.