@nicolati 

Assuming you are powering the APs via some method other than a POE switch then maybe.  Why maybe, read on.

The Omada 'stack' as I call it consists of a gateway+switch(es)+AP(s), and this forms a 'site', one or more of which can be managed by a controller.

To manage a remote site, it needs to access its controller over the internet, not a site-site VPN because that would create a situation where one Omada gateway sits below another Omada gateway and the controller has no idea what to do with that.  As an example of how well this doesn't work, I actually have a site-site VPN tunnel between two of my sites, each running a local controller, and neither controller is even remotely aware of the other devices at the far end of the tunnel.  I believe this is because the broadcast traffic (used by omada for discovery/adoption) is not 'invited' to cross the VPN tunnel.

To make this work, at least in a way I have made it work before, your remote site needs to be able to 'find' your controller on the internet.  Normally this is done by having a static IP/domain or DDNS assigned to the primary site.

The actual mechanics can be done 2 ways and either way will need ports 27001-29814 to be forwarded to the controller via the primary router.

1. set devices up locally to controller and add them to a site before sending them to final destination, configuring the URL for the home controller on them

2. at remote destination, log into each device, and enter the public ip of the controller in the controller section on each device(usually in system>controller settings)

Read this: https://www.tp-link.com/no/support/faq/3087/ 

  @nicolati 

The ER605 has zero POE output...so either power the APs via DC wall adapters, or POE injectors, or a cheap POE switch, or for full functionality an Omada capable switch like the SG2210P or SG2008P or SG2005P-PD

One problem with the FAQ's VPN method is that TPlink's B2B IPSEC connectivity requires (or at least used to require) public static IP's at both ends and also didn't work over Starlink (ESP filtering).

The port forwarding approach does work and only the controller end needs to be static OR Dynamic DNS if you get a dynamic public IP; and with only 3 devices, configuring the URL on the router and two APs is pretty easy.  My recommendation would be to set them up initially as all wired devices, then disconnect one of the APs and within a few minutes of powering it back up, you should see it announce as ready for adoption.