Wellcome to Q&A
This scneario you have any options. The most simple configuration is:
Tunel OpenVPN (SSL).
Authentication Type. Azure Active Directory or Certificate.
Download azure certificate to use with, Azure client VPN.
Authorize the Azure VPN application in your AAD tenant and grant it permission to sign in and read user profiles.
Create users in your AAD tenant and assign them roles and groups as needed.
Download and install the Azure VPN client on your device and sign in with your AAD credentials.
When a emproyee leave the company, just remove permisson to use Azure client VPN, enterprise applications on Entra ID.