I've never used it myself, but a sister comment mentioned related projects working with wireguard and innernet seems to be exactly that use case from a casual glance.
You can specify full cidr rules, so it should be possible to prohibit connections between nodes by segmenting the IPs
There are easier options around if all you wish is ssh access to your servers though.
Personally I'd recommend gravitational teleport, mainly because the name is so hilarious
Teleport also has some really neat approval workflows where you can say "2 of these 3 people need to approve a request for people in group Y to access servers in group X". The incoming request can ping you on slack and then you go to the teleport webui (U2F authenticated with SSO) to approve.
It also has some neat stuff around eBPF session recording if you want to be able to playback user sessions for high security environments. Teleport is good tech.
Bothers me that I can not set up a backup U2F stick.
Also, I had issues to configure it for my situation with no static IP and behind a proxy. I have it working but not really exactly how I wanted it. Maybe its my lack of understanding, I'm sure it could be made to do exactly what I want somehow.
All said, it pretty nice but I reverted to using the FIDO2 based keys sticks directly.
https://github.com/tonarino/innernet
There are easier options around if all you wish is ssh access to your servers though. Personally I'd recommend gravitational teleport, mainly because the name is so hilarious
https://goteleport.com/