In that case another option may be setting up a couple of VM's or physical servers in an edge zone of your network and use an open source VPN. The latest popular solution is Wireguard. There are some github repos that have examples of how to set that up for mobile roaming devices. The downside of these solutions is that they trust keys bound to a device vs having per-person authentication but one could always have additional controls just past the VPN.

Another thing I have seen people pushing here lately is tailscale, though I am not a fan of cloud solutions for remote access. As the company grows that would have to be factored into 3rd party controls and I am personally too lazy and like to keep audits short and sweet.

A smaller and more old school solution is to have a hardened SSH bastion and do port forwarding through it. This is very unpopular among developers though and that machine must be kept up to date and ideally have mandatory access controls such as SELinux or Apparmor enforcing policies.