By default, openvpn does not reserve IPs assigned to clients in the client config dir, rather it still gives out those IPs to other clients. To prevent that, the server should be created with "nopool" and a custom pool added without the reserved IPs. The script should validate that all the client IPs are outside of the pool. Since I can't find a reference to openvpn supporting multiple pools, which would allow us to exclude single IPs from the pool automatically, the script would require setting a custom pool (via a new config node, e.g. 'server pool ...') if any 'server client ip' is defined. That would also mean a non-migratable change to the validation. (Ideally multiple ifconfig-pool can be defined, allowing us to automatically exclude client ips from the pool, I need to try if openvpn supports that).