My understanding is the router you are using having the DHCP used by an attacker means they can nullify any privacy a VPN can give if they so choose. Unlikely for any home networks but for any wifi outside the home it becomes a possibility.
My question is as follows.
What about when double hop VPN is used? Or Tor? Or when using both? Asking as I have not seen any where that speaks on those aspects of it, just basic regular single hop VPN specifically.
To be clear I’m not here to debate any thing on VPN+Tor outside of this question.
“TunnelVision” is abuse of networks without proper security to send classless static routes to clients that can send traffic to a malicious destination. Single, multiple, whatever number of hops it is, this doesn’t help.
Now using Tor, I’m not entirely sure what interaction Tor has with this attack because the whole reason the attack works is because OpenVPN sets very broad routes (something like 0.0.0.0/0), which can be superseded by more specific routes that still cover all of IPv4 such as 0.0.0.0/2 which are set by attackers via this attack.
As far as I understand, Tor uses a proxy connection to work, which, while being on a different OSI layer to VPNs, should still be affected by any routes set on the machine it’s being used (such as routes set via DHCP option 121, the thing used for TunnelVision attacks) unless I’m not understanding how proxies work. Someone please do correct me if that assumption is wrong 
As an update to any other that read this I did some more basic research in to this, this is what it seems to come down to. Please keep in mind I can be 100% wrong so if you feel so please speak up.
More likely I am partially wrong at some point.
Tor uses what they call Onion Routing which means multiple layers of encryption to be partially used per Relay. Example - Three layers of encryption so the Guard Relay, Middle Relay, Exit Relay can use one layer to relay it forward.
This means even if the DHCP is compromised that they can not get the destination address as the work for each decryption for the next Relay IP happens at each Relay.
Tor is still safe with this even when ignoring every thing else.
Double Hop VPNs however do not seem to use this type of encryption. Looking at ProtonVPN specifically they could do this to, potentially, remove the issue so their marketing can be better (Safe at random Wifi locations, etc) however that requires more coding and resources server side.
At this time they do not do this for more security as they are more worried about physical security with their Double Hops. Which makes some sense though I would prefer all options used for security and anonymity.
My simple advice is to use on Linux in the terminal - Route, and IP Route Show as this will show where every thing is connecting. If you know what you should be connecting to you can instantly see if it has been changed on the fly.
Know there is a Windows OS terminal command you can use but I do not know what it is.