I do similar but I personally recommend OpenVPN on 443/tcp rather than 1194/udp. It looks like SSL traffic because that is essentially what it is. Make sure you use your own locally signed CA and certs and enforce CA trust for a successful connection - to avoid any silly MitM tricks.
There is a reasonable argument against using tcp for the tunnel instead of udp due to what can happen to latency when you have a tcp inside tcp stream when one or the other or both are dealing with retransmits (bear in mind that tcp has some guarantees about delivery, whereas udp does not).
In theory you can get an exponential stand off instead of linear due to tcp (say RDP or http) in tcp (openvpn). In practice I find that it does not generally matter these days and I can generally stream BBC iPlayer when abroad with minimal fuss over OpenVPN.
It's actually very easy to detect OpenVPN on port 443 because it isn't really TLS traffic. Much better to use OpenConnect with ocserv, it opportunistically uses DTLS over UDP on 443, and if it can't do that it can use normal TLS. Much harder detect and gives you the performance boost of UDP when possible.
I have the same , but also have an IP ACL on the VPN ports / protocols (only on new connections). When I do need to Connect from random remote ip , I have a port knocking rule that adds ip for 5min to acl
I actually have the port knock action on a blank website w a unusual subdomain. So we need i it I pull up website and can then vpn in temporaryly
