@JL I've got the setup working using the wan, which isn't publically routable, so all ruts are on the same private apn. Then following the wiki for server/client setup [1]. The only difference is instead of using the private wan ip, I'm using the dynamic dns service, via no-ip.com. This is configured to use the ip address source of private. Then just use that hostname in place of the ip's. I had to do this as each time the ruts power cycle they get a new ip.
1.
https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples
Crucially they have to all be on the same apn. I have not yet pushed into configuring them as clients of a cloud openvpn service.
The other option was to go with more expensive publically routable sim cards, then the locksmith/operator connects to each site. I prefered the idea that the locksmith/operator simply connect to the rutxxx in his office and all buildings were accessible when updates/logs were pushed & pulled. Publically routable sims also have more potential bad traffic, at least that's a positive of the private apn.
I did find one provider that would let you connect to the private apn via a pc, using a bit of software, no pricing, just a contact us; which I've not done yet.
I only need to do this as I have to talk to devices within the buildings. It was all push form the buildings life would be easier, but where is the fun in that.