An open / unencrypted connection that communicates client --> VPN concentrator is very secure (at least, as secure as you make it).
If you use weak passwords / passphrases, then it's not very secure. If you enforce a reasonably strong passord / passphrase system (or certificates, etc), then it's pretty solid.
WPA would be just as weak if you used weak passwords / passphrases. It's important to use complex composition (i.e., Mix upper & lower case, intersperse some non-alpha characters and / or numbers, etc).
For example "my wireless" would suck as a passphrase, it's prone to dictionary and / or brute force attacks. Something like "I Like My Wireless" would be better (because it's longer and has some caps thrown in), but still uses "normal" words and can be whacked pretty easy (even with the Initial Caps).
Something like "I1 L2ike my3 Wire4less!" is much stronger, because it is not predictable (well, it sort of is, because of the position and value of the numbers) and has no "normal" words to match up to a dictionary attack.
Longer is better, as a rule ... within the limits of what the users will tolerate. Since a WPA-PSK or group password (for VPN) is usually only entered once at setup time, it's usually not too painful.
The last piece is that the passwords / passphrases must change occasionally ... just to cover the possibility of someone wanting to get into your system bad enough to dedicate the CPU time necessary to do a brute force attack. Programs like L0ftcrack and john the ripper don't have to be attended, you pretty much turn ''em loose on a password file and let 'em run.
I've had john the ripper running against my password files (to test 'em for strength) for over a month without a hit (on a Sparc Ultra 60 dual processor machine).
SO, the bottom line (sorry to get windy on ya): Yes, a VPN over an open connection will be ~ as strong as as WPA with the same parameters. Both are stronger than WEP of any length (with or without MAC filtering) (with or without SSID broadcast). "Security through obscurity" doesn't work when someone is actively sniffing for signals.
FWIW
Scott
Facebook
Twitter