And how would they do that? Your browser should warn you the certs aren’t trusted.

And if your browser does warn you: what do you do? You use a VPN.

Which you would notice immediately because of the big, scary warnings.

Right, but how do you respond to that? Using a VPN seems like a reasonable approach in this situation.

It's a hotel right? I would respond by closing my laptop, then my eyelids, then checking out the next morning.

You respond primarily with non technical means, making a giant stink that a hotel that generally lives and dies on corporate money is man in the middling their WiFi.

Assume my hotel has some MITM running with the right (broken) certificates and so on.

Which is not that trivial to begin with.

How hard would it be to take over the dns and simulate a fake VPN too?

Or just constantly disconnect the vpn and hope the user stops using it for a while.

Presumably, you exchanged certs with the actual VPN over a known secure network prior.