I use DNS-01 for single-domain certs for private subdomains all the time (not behind VPN, but on internal IPs).
@gborbonus i recommend installing an instance of acme-dns in the cloud GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. , and then delegating it to handle your acme-challenges. that will streamline automated and manual installs.