VPN instead of VLANs

My network have about 8 thousand user, who work in multiple buildings. There is frequent employee turnover, which currently forces changes in the configuration of vlans on the switch ports. In addition, we have many device manufacturers in the organization such as Juniper, HP/Aruba, Cisco, TP-Link and Huawei.

I would like to use only a few vlans on a switch: VoIP, printers, internal network (intranet). Internet access only via VPN after authentication. I need to collect logs (IP <-> user) - applicable laws in my country. We have a radius server in the organization that I can use to authorize users.

Is it possible to build a VPN cluster based on open source software? - I need HA solutions.

I am also open to other suggestions to solve my problem.

There is frequent employee turnover, which currently forces changes in the configuration of vlans on the switch ports.

As it seems, you might be using port-based VLANs instead of privilege groups. That isn't only very cumbersome, it's also not secure. (Any user could replug their computer to another jack to change their security level.)

Instead, you should either be using port-level security like IEEE 802.1X, where a user authenticates to the network and only then are they associated with a VLAN or security level.

Alternatively, some solutions allow you to identify (Windows) users on a firewall and apply rules based on that identity and its group memberships (sometimes called single sign on, IAM or simply AAA). In case your servers are located within the users' VLANs you should move them out, to one or more VLANs of their own - then you control access to them on the firewall, based on user group membership. And there's no need for different privilege-level user VLANs at all.

As to product recommendations, those are explicitly off topic here, sorry. Terminating 8k users with a software solution would very likely require a cluster of VPN servers/gateways though. The concepts suggested above should be much lower maintenance.