You have already done a number of points, but I will describe them anyway for the sake of completeness of the list.
1. Create a separate user and a good sudo password. Don't use root directly anymore. At all.
2.SSH. Disable the password authentication method. If you do not need other methods, then they can also be disabled, leaving only publickey. Disable root authentication. We enable the use of only the 2nd version of the SSH protocol.
3. Install Fail2Ban and configure it so that after several unsuccessful attempts to connect via SSH, it will be banned by IP for a long time. The number of attempts and the time of the ban can be tuned to the best of your paranoia. For example, I get banned for an hour after 2 unsuccessful attempts.
4. Iptables. We act on the principle of "everything that is not allowed is prohibited." By default, we prohibit all INPUT and FORWARD traffic from outside. We open port 22 on INPUT. In the future, we open ports / forwarding as needed. If we are supposed to have services on neighboring servers that are needed only for internal communication (Memcached, Redis, etc.), then we open ports for them only for certain IPs. They shouldn't just stick out like that for everyone.
5. Set up automatic updates of apt packages. security level. That is, so that security updates are rolled automatically, but updates with a change in the major version are not performed (in order to protect yourself from "it broke by itself").
6. Install ntpd. Server time must be accurate. It is also best to set the server's timezone to UTC.
7. We use TLS (not SSL) wherever we can. Through Let's Encrypt we get free valid certificates. In the configs of web servers, mail servers, and other applications sticking out (including OpenVPN), we prohibit / remove the use of weak ciphers. We generate all keys/parameters at least 2048 bits. We sign self-signed certificates using SHA-256 (not SHA-1). Diffie-Hellman parameters (dh.pem) for each service should be generated separately. We check the TLS of services through Nmap. The minimum grade must be A, there must be no warnings.
8. Proper user/group management. Applications/services should not be run as root (unless they really require it and nothing else). Each service has its own user.
9. If files are supposed to be uploaded via PHP (or other scripting languages), in the directory where these files are uploaded (and which is accessible from the outside), any execution of scripts / binaries should be hard-coded, which is at the OS level ( xrights), which is at the level web server.
This was the base.
Further, to the best of your paranoia, you can 'harden' the server with the following points:
- SELinux, chroot
- access to SSH only from certain IPs (you need to have 3-4 VPN servers at hand)
UPDAnd yes, remembering / adjusting it all by hand every time can be confusing. Use Ansible and automate the process (there are native and YAML, Jinja2 and Python).

As an employee of a hosting provider, I strongly support what Tyranron
wrote + I will add some subjective statistics on breaking vps and dedicated servers
1 simple passwords and open access to root
2 no less simple passwords and secret questions for emails - the answers to which can be in VK or Facebook
3 outdated software, first of all cms second everything else
Remember vps security is not only vps settings but also the security (inaccessibility to strangers) of your password (do you use keepass or analogues?), sssh key (do you have it with a password?), email via which you can reset the password for the account of the hosting provider and then reset the password or write a ticket to technical support. The security of the computer from which you access the VPS.
Turn on two-factor authentication if it is provided by your email provider and hosting provider, if it is too stressful for ordinary mail - create a separate mailbox for very important letters and turn it on there.

If only OpenVPN is running on the server, I would not bother with additional protection.
In general, yes, it's good if you make authorization by key and / or disable access for root.
This helps from Chinese servers pounding on port 22.

not a suitable distribution kit for a beginner and plugins do not support new versions, reinstall the ubuntu graphical shell for example or similar, install aparmor