When deploying balena devices in corporate environments, OpenVPN is extremely problematic. All modern firewalls detect and block outbound VPN traffic, even if over port 443 (TLS connection setup is very different from OpenVPN setup). Additionally, many of these environments have MITM requirements where AdditionalCACertificate and Redsocks will attempt to proxy OpenVPN, but the MITM inspection gateway will reject the OpenVPN connection - just like the firewalls do.
As far as I can tell, there are zero balena use cases for Cloudlink that are not easily accomplished over a WebSocket, and a standard TLS WebSocket would work flawlessly in corporate environments.
Switching to a WebSocket would provide significantly more flexibility and compatibility.