What's the best method to monitor an OpenVPN server?

I do it remotely, via NAGIOS, using a local plugin called check_openvpn.pl, invoked via nrpe, which in turn uses OpenVPN's built-in management capability to report on its detailed status.

Since you're using TCP as the VPN bearer, you could do a simple TCP connectivity check on port 1194 (as Dennis notes in his answer) but the advantage of this plugin is it runs a fairly rigorous check of OpenVPN, and reports the CNs currently connected to the server. If it's reporting at that level, I can have confidence that the server is completely up and offering service to the world at large, which a simple connectivity check wouldn't give me.

The plugin came from this page at NAGIOS exchange; the author's website is apparently http://emergeworld.blogspot.com.

The gory details are: the following entry in the NAGIOS server's config (plus appropriate connecting logic):

define service{
    use                 myconf-svc
    host_name           openvpn.server.hostname
    service_description openvpn
    check_command       check_nrpe!check_openvpn
    }

Then this in the OpenVPN server's nrpe.cfg:

command[check_openvpn]=/usr/lib64/nagios/plugins/check_openvpn.pl -H localhost -p 11940 -P XXXXXXX

Then this at the end of the OpeVPN server's `.conf' file:

# enable the mgmt interface for monitoring - tom 20120814
management 127.0.0.1 11940 /etc/openvpn/man.pass

Note the 11940 common to the both the previous data; that's the port number for the management interface. The password in the nrpe.cfg entry above (shown as XXXXXXX) should also appear in the file /etc/openvpn/man.pass.

For OpenVPN, I simply monitor whether it is listening on the usual port:

define command {
        command_name    check_openvpn
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 1194
}