This should be super easy, I think I'm missing something obvious.
The OpenVPN docs state that you can run the management interface on a Unix domain socket. OK, no problem, I tried that.
openvpn --dev tun --management /dev/openvpn unix
This seems to work; device is created, and OpenVPN starts.
How does one connect to the management interface though? It isn't TCP so Netcat won't work. I tried echoing commands directly to the socket and got an error:
$ echo "help"| /dev/openvpn
bash: /dev/openvpn: No such device or address
I know I'm missing something basic, but I could find zero examples on the internet of anyone actually connecting to the management interface on a Unix domain socket.
I answered it myself, 1 minute after posting.
Short answer, "Use socat"
Ref: https://unix.stackexchange.com/questions/26715/how-can-i-communicate-with-a-unix-domain-socket-via-the-shell-on-debian-squeeze
Long answer:
EDIT: What I ended up actually doing
I didn't like the idea of installing a new tool when telnet/netcat over TCP works pretty well. So in the end I configured OpenVPN with a TCP management listener, and blocked (via firewall and hosts.allow) external access to the port it listens on. i.e. One can only connect to the OpenVPN management port on localhost.