Citing Jan Just Keijser from the OpenVPN forum
openvpn provides authentication, not access control (authorization), nor should it, in my opinion. The options you mention are the only options you have, unless you also want to throw in username+password control.
you could use a sub-CA (intermediary CA) ; each client cert would be signed by a specific sub-CA ; the clients need only the "root" CA to connect to a server, but the servers can allow access based on the sub-CA used for a client.