phein4242B
If you want to forward an ssh connection over an existing ssh connection, ProxyJump is the way to go.
They have some pointers in their documentation: https://webmin.com/faq/
you need to reconfigure webmin to serve you a wss:// url towards that websocket. The second S in wss stands for securitah! :)
Start by reading what DNS can do. Good luck!
Objectively you reduce your attack surface if you actually self-host wireguard, since you dont control 3rd party products, and cannot give any guarantees wrt their security.
Unpopular opinion, yes, but security > convenience ;-)
Thing is, you grew up in the pioneering age of computing, and in that time you needed to do everything yourself. This gave you a bunch of skills for free, that are hard to do today, because most of the hard stuff is automated away and snuck behind a gui and/or containers.
Syslog is what you are looking for.
Even if you can get the appZTNA stuff to work (which I doubt), how is your infra going to absorb multi Tbit traffic without customer impact?