Comment 6 for bug 1851407

Did you ensure that the connection was set for "use only for resources on the connection"? (I believe this may be ipv4.never-default=yes setting in nmcli... and only bring it up because you do not mention it.)

I also think the negative DNS priority might be historical, no longer needed. (I just noticed mine was set to 50, which I believe is default for VPN connections now)

I should also note that if the never-default is set to "no"... I *will* see the DNS server, however the routing is then incorrect as the VPN concerned doesn't provide public routes.

So to be clear... never-default needs to be set to yes... DNS we expect is from DHCP options sent from the VPN server, and the problem is that you will see NO DNS servers for tun0 when you run the 'systemd-resolve --status' command