Firstly we need to setup Nginx. If you have existing HTTPS server, e.g. nginx, kubernetes, traefik, you can put HTTPS SNI proxy before your server which will divide traffic between WebSocket tunnel and your existing webserver, no need in web certificates for change.

Firstly we will install and configure Nginx.

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections  1024;
}

stream {
  resolver 8.8.8.8;

  map $ssl_preread_server_name $selected_upstream {
    YOUR.WIREGUARD.WEBSITE.COM 127.0.0.1:10443;
    default 127.0.0.1:8443; # YOUR EXISTING HTTPS WEBSERVER ADDRESS
  }

  server {
    listen 443; # PORT WE WILL LISTEN ON
    proxy_pass $selected_upstream;
    ssl_preread on;
  }
}

Installing WSTunnel

Later we will install WSTunnel.

You can download it from https://github.com/erebe/wstunnel/releases and copy to /usr/bin/

/etc/systemd/system/wstunnel.service

[Unit]
Description=WebSocket tunel pro WireGuard
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/usr/bin/wstunnel server wss://0.0.0.0:10443 --restrict-to 127.0.0.1:51820
Restart=no

[Install]
WantedBy=multi-user.target

This service will forward traffic to port 51820 on localhost where wireguard is.

Client configuration

To run client on Windows, I have following Python script in "shell:startup" which run service on background.

tunnel.pyw

import subprocess
DETACHED_PROCESS = 8
subprocess.Popen("C:\Windows\wstunnel.exe client wss://yourwebsite.com/ -L udp://51820:127.0.0.1:51820"
, creationflags=DETACHED_PROCESS, close_fds=True)

I run this script on every login to Windows, and then had set-up wireshark tunnel pointing to localhost:51820

If you want to route all traffic you have to disallow IP of yourwebsite.com from Wireguard, you can use following calculator

Wireguard Disallowed IPs

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/