Can an open Wi-Fi hotspot be considered "secure" when using a VPN connection?
This is actually exactly the type of environment VPNs were designed to work in: when you cannot trust the local network.
If set up properly (i.e. making sure all traffic goes through the VPN and using a secure mutual authentication scheme) it will pretty well protect your connection.
This, however, requires the whole thing to be designed properly.
- Obviously, your VPN must be set up so that ALL your communication goes through the encrypted channel, not just the part that is aimed at the internal network behind it (which is sometimes the case with corporate firewalls or if you're using SSH).
- Avoid using SSL VPN unless you're using a pinned certificate for the server: you'll want to avoid having to perform PKI validation of the server's host name since it can be rather delicate.
- Understand the limitation: you will not be able to "mask" the fact that you're using a VPN, you will not mask the volume and pattern of your exchange (which can be to some extent used to identify the type of service you're using) and your connection will ONLY be secure up to the VPN exit point: everything between that point and the destination server will not be protected by the VPN (although it can also be encrypted on its own).
- There is no guarantee against a state actor who would be willing to spend dedicated resources to penetrate your security.
The article is correct, and a real threat exists in the initial period before the VPN is set up. It's a chicken and egg problem. The VPN configuration doesn't matter in this case, since to establish the VPN connection in the first place, you must first have an internet connection. Many/Most open internet points require you to register with them by entering in a secret code, or an email address, or merely accept the Terms of Service. This requires a non-VPN connection.
Generally that means having a browser open that talks directly to your local network rather than through the VPN. When started, browsers often bring up the last page they went to, and re-submit any parameters. So if you were to open your browser and it were to open a series of pages you last visited, you could leak information if those sites were http and not https.
Generally, no, it will not be secure.
It might be mostly secure if hotspot in question is not captive portal but truly open WiFi, and your local firewall is configured to drop ALL traffic which is not VPN traffic destined for your VPN server (so no traffic whatsoever can flow between your computer and any computer but VPN server), and you have connected your VPN before in secure environment and have saved and will verify its key (like ssh does, for example) instead of depending on PKI (like HTTPS does by default). And of course if you are not state-level person-of-interest as they can do side-channel attacks on both you and your VPN server (and probably crack the VPN anyway or use backdoor implemented in it) and much other fun stuff. But Joe Random probably won't be able to steal your bank account in this case if your software is not buggy.
However, (at least around here) most such hotspots are captive portals, which means they would not allow use before you at least click on their webpage and accept terms of use and stuff; and that is insecure - not only would you have to make an exception to pass web traffic unencrypted (potentially compromising any windows open in your web browser, profiles sync etc), but your browser would also by definition need to render whatever the captive portal (or any attacker spoofing it) throw at it, making you vulnerable to any browser or plugin bug (of which there are neverending streams). This is much higher risk, especially as airports and such are very sweet targets for such individuals.
But then again, if you surf around random sites on the Internet with javascript and flash enabled, you are already engaged in risky activity, so this might not increase your risk significantly (but then again, it might).
There is no such thing as "secure", only "probably secure enough for this or that purpose".