pfSense

It is currently documented at https://doc.pfsense.org/index.php/DHCP_Relay that DHCP Relays don't work over IPsec tunnels. However, it turns out they don't work over OpenVPN tunnels either.

From my observations (with packet filtering completely disabled to rule that out as a cause):

DHCP query gets broadcast by client.
DHCP query gets sent on as unicast to DHCP server by relay.
DHCP server responds with unicast to DHCP relay address
DHCP relay DOES NOT forward packet on to client! (Expected behaviour: It should do this)

Tracing this back, it would appear that this is an old bug that's been known since at least 2007, as discussed on this mailing list post: https://lists.isc.org/pipermail/dhcp-users/2007-February/002787.html

Right now, the only available workarounds as far as I know are:

1. Use something else to do DHCP relay (such as your switch, or a different pfSense box that doesn't run OpenVPN)
2. Use a local DHCP server rather than running DHCP relay