wget wireguard-ui:
https://github.com/ngoduykhanh/wireguard-ui/releases

tar -xvzf wireguard-ui-*.tar.gz
mkdir /opt/wireguard-ui
mv wireguard-ui /opt/wireguard-ui/

vim /opt/wireguard-ui/.env
SESSION_SECRET=
WGUI_USERNAME=
WGUI_PASSWORD=

vim /opt/wireguard-ui/postup.sh
#!/usr/bin/bash
# /opt/wireguard-ui/postup.sh
ufw route allow in on wg0 out on eth0
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

vim /opt/wireguard-ui/postdown.sh
#!/usr/bin/bash
# /opt/wireguard-ui/postdown.sh
ufw route delete allow in on wg0 out on eth0
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

chmod +x /opt/wireguard-ui/post*.sh

vim /etc/systemd/system/wireguard-ui-daemon.service
[Unit]
Description=WireGuard UI Daemon
Wants=network-online.target
After=network-online.target

[Service]
User=root
Group=root
Type=simple

systemctl daemon-reload
systemctl start wireguard-ui-daemon.service

vim /etc/systemd/system/wgui.service
[Unit]
Description=Restart WireGuard
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart [email protected]

[Install]
RequiredBy=wgui.path

vim /etc/systemd/system/wgui.path
[Unit]
Description=Watch /etc/wireguard/wg0.conf for changes

[Path]
PathModified=/etc/wireguard/wg0.conf

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl enable wgui.{path,service}
systemctl start wgui.{path,service}

Nginx proxy:

add_header Cache-Control no-cache;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:5000/;