1. Coffee shop Wi-Fi router is compromised. Than that's a possible vector.
2. Bad actor sitting in the coffee shop and trying to carry out attack similar to the one described on the link. Fortunately that won't work on any decent WiFi infra from Meraki, Ubiquiti or similar.
DHCP attacks are always a problem on dumb wired switches though.
Are there workarounds VPN clients can use to prevent this attack from working (or in the worst case, disconnect rather than send traffic outside the tunnel on a hostile network)?
If you dont run your network, you should assume there is a bad actor. Many wifi/router combos have a password of 'admin' or just as easy. Even if the coffee shop giving you wifi is innocent, the person that reconfigured their network in 10 seconds might not be.
but you're using a vpn at the coffee shop for privacy reasons, and the compromised dhcp server will allow a malicious actor to read all of your packets anyway
DHCP servers aren't connected to any IP routing mechanisms, so there can be arbitrary numbers of so long there aren't duplicate assignments(but even that isn't DHCP problem). IIRC the client randomly chooses one if multiple offers were received.
Doesn't this blow up the attack surface area to any isp and to any place that offers free wifi? With this attack, I can't assume that it's safe to bring my laptop to a coffee shop and enable the VPN.
It's worse than that - an attacker on the same local network as the target machine can tie up the legitimate DHCP server by reserving all available addresses and then start advertising themselves as an alternate DHCP server (to inject the malicious routing to the target).