Note that deep packet inspection will be able to identify this as OpenVPN traffic the way its configured right now. You can configure OpenVPN to use a fixed key [1] at which point the traffic is indistinguishable from random noise and no longer has any protocol data. The big tradeoff here is that this disables perfect forward secrecy; you can't add this as an extra layer on top.
You may also want to specify "cipher AES-256-CBC" in both client and server config to upgrade from the default AES-128 it uses.
You may also want to specify "cipher AES-256-CBC" in both client and server config to upgrade from the default AES-128 it uses.
[1]: https://openvpn.net/index.php/open-source/documentation/misc...