I don't think there's a good way to do this. The problem is that the authentication methods supported by Google, such as OAuth, are really geared around authenticating web applications. The key aspect of this is that you (as an application user) never give your credentials to the third-party site. The site directs you to an auth page at Google, which you sign in to and authorize the third-party site.
With OpenVPN being a non-web based application, I think it would be almost impossible to do this in a reasonable way. You'd basically have to write a custom OpenVPN authentication module that hits Google's OAuth API, requests an authentication token, then presents the user with a special URL they'd have to go to, where they'd sign in, get an access code, which they'd then have to enter into the OpenVPN authentication so it could go back to your OpenVPN authentication module to return to Google to get a "yay" or "nay" on authenticating you. If it sounds convoluted, that's because it is.
Assuming your mention of Google Apps means you're using the paid version of Google Apps (now called Google Apps for Work), your best bet would probably be to setup Single Sign-On (SSO), where your internal identity management system is the source of truth, and both Google Apps and your OpenVPN system authenticates against it. You can find out more about Google Apps SSO by just googling for it. Be aware, it's not necessarily a simple process, and often requires some effort to implement.
Basically, you need a way to supply your credentials to OpenVPN, and then have it authenticate on your behalf. This only works for cases where your users will trust their credentials to the application (in this case VPN). That works for corporate authentication, but doesn't match Google's vision where there are untrusted applications.