We have released a new macOS OpenVPN Connect v3 build version 3.4.1 that enables a watchdog function for DNS settings. So if some process resets these DNS settings implemented by OpenVPN Connect, they should automatically be corrected again.
In my case, the trigger for the primary resolver entry going back to the local (non VPN provided) state is any wifi reconnect, which is often invisible to the user. The laptop hops from one AP to another, mDNSResponder pushes the local DNS server to be the primary resolver, VPN DNS gets broken.
FortiClient must either block those updates or monitor them and restore VPN DNS settings every time they occur.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.