This may be tougher than it seems at first. Configuring Class-Based Weighted Fair Queueing (CBWFQ) won't do much good, because by the time the traffic leaves the router to go over the Internet, it has already been encapsulated and encrypted.
You could implement traffic policing at the ingress interfaces on your router to rate-limit down data traffic as it enters the router. You'd have the go with policing because it's the only kind of QoS policy that can be applied inbound to an interface.
Alternatively, you could deploy two routers at each site. One to connect the various data and voice networks together and perform QoS operations, and the other to connect to the VPN.
This is a good place to start
The link below expains the difference between shaping and policing well: