the openvpn-otp is fun and could make some interesting things for a company, we could use a MFA (multi-factor-authentication), it means login+pin(know by the user)+otp_pin
# use totp-30-6 and sha1/hex for hardware based 30 seconds / 6 digits otp tokens + know pin (here 6543)
mike otp totp-30-6:sha1:hex:5c5a75a87ba1b48cb0b6adfd3b7a5a0e:6543:xxx *
Here the user must fill know_pin + otp_token on the same password input, the cons is that the know_pin is in clear in the text file, and when a user is not listed it is not allowed to connect to the openvpn server. It could be a problem if we set an otp policy which forces all users because people out of the office could not enable otp in their settings page.
Now I would like to use this plugin with openvpn-auth-ldap, it seems they can works together