How can I enforce different DNS servers when connected to a VPN?

I have a variety of OpenVPN VPN servers I connect to from my Ubuntu 17.04 machine, all of which push DNS servers using the dhcp-option DNS A.B.C.D (which I know is a Windows extension, but that's how they're pushed). The DNS servers (for each provider) change rarely, so I can also enter them manually if need be.

I add a VPN using its .ovpn config file via Gnome's Network Settings ("+" > "Import from file..."), making it available only to the current user. By contrast, the physical connection is a wifi connection available to all users.

The VPN's DNS servers are simply not used by the system. If I just accept the config as given in the file, the VPN connects but the DNS servers don't even appear in the output of systemd-resolve --status. If I add them to the IPv4 settings manually, they do but are not used.

For example, before connecting, the output of systemd-resolve --status shows this at the end:

Link 3 (wlp3s0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.1.1

Link 2 (enp0s31f6)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

192.168.1.1 is my router. After connecting to the VPN I see this extra entry above the others:

Link 9 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: A.B.C.D
                      E.F.G.G

A.B.C.D etc. stand for the DNS of the VPN provider. However, I've confirmed via packet inspection that even with these new entries, DNS lookups are done via 192.168.1.1 which just uses my ISP's servers.

For completeness, ip route show gives:

$ ip route show
default via 10.7.7.1 dev tun0 proto static metric 50 
default via 192.168.1.1 dev wlp3s0 proto static metric 600 
10.7.7.0/24 dev tun0 proto kernel scope link src 10.7.7.182 metric 50 
I.J.K.L via 192.168.1.1 dev wlp3s0 proto static metric 600 
169.254.0.0/16 dev wlp3s0 scope link metric 1000 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.193 metric 600 
192.168.1.1 dev wlp3s0 proto static scope link metric 600 

(I.J.K.L is the VPN address.) It seems weird that there are too different default routes, but I guess the metric is meant to take care of that?

Whatever the cause, I want to be using the VPN provider's DNS when I'm connected to the VPN, and not use them when I'm not. I considered trying to create a second Network Manager profile for my wifi access point with the provider's DNS entries, but it turns out you can't create a second (or user specific) profile for an access point that Network Manager already knows about.

Things I'd prefer to avoid:

• Modify the .ovpn config files. I have about a hundred of these, and they're updated regularly by the VPN providers.
• Permanently change DNS servers for the system-wide connection used for wifi, or for the router itself. I only want to use the VPN's DNS servers when I'm connected to a VPN.
• Run a command manually every time I connect to a VPN. I or another user could easily forget to do this.