As suggested before, try OpenVPN in udp mode.
For faster response, reduce the size of the receive and transmit buffers, and disable compression.
As for the real addresses of connecting machines on the target machine, you will need to ensure that packets are returned back to the VPN tunnel on the side of the target machine behind NAT. And for this you will need to use the default gateway towards the tunnel or static routes (if you know the addresses of incoming clients)
Further, on the side of the VPN server with a public IP where the clients connect, you will need to configure port forwarding (DNAT) to the vpn interface address of the target machine. Then the packets coming to the target machine will have the real ip of the visitor.
I have no experience with Wireguard, but for some reason it seems that you just need to correctly configure DNAT on the VPN server and default routing on the target machine and you will get real client addresses on the target machine.

SSH also has tunneling (VPN). And then at both ends we set up such rules for port 3389 so that the packets go exactly through this new tunnel in both directions, and the addresses are broadcast at the right moments. For UDP on VPS side DNAT, on home network side SNAT

Instead of an SSH tunnel, use a VPN (such as OpenVPN) with static IP assignment per user. Also connect the end resource through the VPN tunnel.
This
is faster
- at the VPN level, you can limit the user by IP
- at the end resource level, you can differentiate by IP that the VPN assigns (that is, actually by users).

My provider (cheap) does double-NAT , so it’s unrealistic to get through for a bureaucratic reason. You need to dig from the inside - it always wins. Where and how to dig? depends only on you.