ANSWER:

The best way to do this is to give each group its own /24 subnet or break up your 10.10.11.0/24 and do some iptables magic to block dev users..

But I think the best thing to do, if your network supports it, is vlan tag each subnet. Give the dev users their own /24 in openvpn and then some firewall rules to only allow the dev vlan to be able to connect to certain other lans.

by Mike from http://serverfault.com/questions/391689