With a VPN, each user will need a client and certificate. That’s what makes it secure.
An alternate solution (which you would like to avoid) is to put a Pi at each location. For less than $25 or so, they can each buy a Zero, card, USB adapter and power supply. That’s what I have done with friends and family (but I used a Zero W and used the wireless feature). Easy enough for me to setup, and they don’t have to do anything to maintain it other than keep it plugged in.
I suspect the alternate will be easier on your part and their part as well. They VPN is not something they will likely be able to manage, and there is no guarantee that they can even support a VPN on their router. So, some clients would be on your Pi-Hole and others not - too confusing.