Need some help on Authentication, Authorization, etc

Due to the everyone work from home virus, I have agreed to help out a few people by making them their own bit of space on my network. I want to be able to give them their own cloud for storage as well as access to my media files to curb cabin fever.
Basically I am taking all of my server mgmt, direct access to the storage servers, etc… and moving them behind a second firewall that only I will be able to access. They will all have VPN accounts to gain access to their DMZ vlans, so to speak (nothing will actually be exposed to the internet, couldnt find a better term though) which will contain all that they need.
The setup has been easy to maintain in the past since it was only me and my password manager. With others though, I would like to have a better system in place. I have been going over FreeRadius, LDAP, Kerberos, SAML, pki setups and combinations thereof (mainly FreeIPA). But having not really used any of these systems aside from pfsense freeradius for my own single vpn login, so I can’t with confidence judge the trade offs of one setup vs another (ie if I just use LDAP with TLS I get an encrypted tunnel but no 2FA, with Radius I get no tunnel but 2FA ability, and so on) , find definitive answers on some items (which can be, if any, be used by way of a reverse proxy), etc…
Not asking for a setup guide, just a bit of clarity on which road to take. Thanks.