+! for pfSense, though wireguard support won’t be there because pfSense is an enterprise solution that will not add incomplete services with potential performance and security holes to their software package. OpenVPN or IPsec will perform just fine - something like an i3-4130T would blow your performance requirements out of the water for dirt cheap. Follow JDM’s pfSense guide if you so desire.
I would steer you away from traffic shaping, it introduces latency, annihilates throughput, and generally causes more harm than good. VOIP and SSH will be just fine without QoS.