Any provider with shadowsocks configs. Or if not, if you have hardware lying around you could host a tunnel with gluetun.

WireGuard

I would be surprised if wireguard was fingerprint resistant.

If you want to avoid a Mitm from detecting that you are using a VPN your best bet is probably to use some kind of tunnel that looks like regular https traffic. which means it uses TLS either with TCP or QUIC on port 443.

I didn't say anything about fingerprint resistance. I answered a question about what the good one is. It's good for other reasons.

Obfs4 is what you need