The only tricky part is the inter-region routing, and this can be managed largely within AWS using Transit Gateways (TGW), for a price, for more of a price AWS even makes it easier with Cloud WAN: https://aws.amazon.com/cloud-wan/

See: https://aws.amazon.com/blogs/networking-and-content-delivery...

Basically if you just link your VPCs in each region with the appropriate routing policies, you can just connect to your preferred VPN server in each region and ultimately get routed correctly. This is what companies with cloud-based SDWAN do for providing SASE services to end-user clients.