In all honesty of you are in a commerical environment and scale where PCI and mesh VPNs are cropping up you should consider hardware firewalls.
FortiNet has FortiGate ADVPN as part of the base image and no extra licenses required. If you include the licenses you can get PCI reports from the FortiGate.
Juniper has SRX mesh, don’t go for the cisco tax of DMVPN, Palo Alto has LSVPN
I am actually managing a bunch of locations with only 1-3 people at each. Full firewalls feel overkill but maybe there is a middle ground. I’ve actually considered openWRT with ansible but keeping openWRT updated is a pain in the ass.
For now I’ll just stick with Tailscale and some sort of management software.