I am using NethServer for DNS and OPNsense for DHCP, so that should check out just fine.
To be clear: the NethServer machine only has one ethernet interface, which is on the green network, 192.168.4.0/24. I’ve added 192.168.1.0/24 as a Trusted Network, which is where my clients reside. However, while tested late last night I forgot that I was testing from a client on the VPN network, 10.0.0.0/24, which was not a trusted network. I just added the VPN subnet to the Trusted Networks and configured dnsmasq to only work on the green network, and it works - I can dig from my VPN client machine to the NethServer address.
tl;dr: don’t forget that VPN client’s aren’t actually on the client network 