So here’s your big challenge. Let’s ignore the security problems for a moment.
First, cellular data tends to be expensive and openHABian downloads something like one gig or more when it sets itself up. You would be far far better off setting up openHABian once on wifi (at home). Then configure that already set up image to use the cellular network. Then clone THAT already set up SD card for use in the RPis that actually get deployed.
The next big challenge is, again ignoring security, how are you going to access this device? The cellular network is going to assign some IP address to the device and you don’t know ahead of time what that IP address will be nor do you have any control over what that IP address will be. So how do you discover what publicly facing IP address your RPi was assigned? What do you do when it changes?
This one is probably easier to solve. I’d recommend using myopenhab.org for remote access to OH itself and one of the various remote access services for RPi that are offered. Then you don’t need to know what the IP address of the RPi ends up being. Also, that lets you address security by setting up the host firewall to reject ALL incoming connections. You can do this because OH initiates the connection to myopenhab.org and the RPi will initiates the connection to the remote access service.
Just a username and password is not sufficient protection to put any computer on the Internet nakedly. And, not to be harsh, but if you had the knowledge and skills to protect and monitor a computer directly exposed to the internet you wouldn’t be asking this question. It takes a lot of work and a lot of continuous monitoring to do this safely and even companies with whole teams of experts fail to do this safely.
A VPN is another way. The RPi will only be exposed to the Internet for a brief moment while booting while it works to establish the connection to the VPN. Once it connects to the VPN, the remote RPi will appear as part of your local network and if properly configured, will not be exposed to the internet.
But don’t ignore that brief exposure to the internet. There are literally tens of thousands of active bots out there that can detect and attack your machine within a second of your machine appearing on the network. The briefness of the connection is only a very tiny bit of protection.
Again, a firewall like UFW can help as you can configure it to reject connection attempts except from certain IP addresses. That would essentially only allow connection from your LAN making it refuse all connections during that brief moment when it is connection through the VPN.
Doing this and doing it safely is hard. Doing it without the protection from a residential gateway is even harder. Good luck!