We were looking at Always On VPN from MS. They recommend 4 servers but this is a small install, any reason it all cannot be done on 1, or minimum 2, DC + Always on VPN requirements on another server?
If you’re referring to the servers with the RRAS roles, then it can be done on two. You still need NPS server if you don’t already have one. BTW, be ready to refer to Richard Hicks’ blog every time you run into a weird issue trying to follow Microsoft’s documentation to set it up. Last time we tried it was a terrible buggy experience.
Edit: Here is his blog: https://directaccess.richardhicks.com/
Maybe want to consider something like zscaler or cisco umbrella. Proxy as a service type solution.
While it’s technically possible to deploy Always On VPN with a single server, it isn’t recommended. However, in a small environment, you could do this with a minimum of two servers: a domain controller and a VPN/NPS server. FYI, you only need to install RRAS. Do NOT install NPS (the NPAS role) on the RRAS server (details here: Always On VPN RADIUS Configuration Missing | Richard M. Hicks Consulting, Inc.). You actually get NPS when you install RRAS (NPS lite, if you will). Let me know if you decide to go that route, and I will provide more details on configuring it.
Oh ya, and I hear that Richard Hicks guy is pretty cool. 
be ready to refer to Richard Hicks’ blog
Yeah, OP, just go ahead and bookmark his blog. Almost every issue we had with directaccess and AOVPN was solved by him.
Agreed. If you have only a few users, Always On VPN might be overkill. Tailscale is awesome, and completely free for up to three users and 100 devices. I use it myself. 
I’ve tripped over every conceivable landmine there is with Always On VPN. I try to document them as much as I can. Glad to hear it is helping others solve problems.