if there no much dependencies with domain controllers. I would recommend you to move all your workstation to Azure AD with Intune combination.
However to answering your question, cant you use site to site VPN instead of client VPN ? so the GPO polices and other AD domain related stand intact to your outside network. But if the users are scattered everywhere and not in a dedicated location, then you can consider checking "Direct Access"
I have used direct access to tackle similar kind of situations. But it involves design/plan and infra foot print.
DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections. With DirectAccess connections, remote client computers are always connected to your organization - there is no need for remote users to start and stop connections, as is required with VPN connections. In addition, your IT administrators can manage DirectAccess client computers whenever they are running and Internet connected.