Combined with the idea from the article to offer two distinct networks (one traditional, private, WPA2 and one open, only allowing VPN connections out) this sounds like a very practical idea. Is there any good reason not to do it this way other than to protect financial interest of mobile carriers?

A very paranoid regime could even establish rules to only allow certain accredited VPN providers (e.g. ISPs) to free people who offer open WiFi from the fear of being prosecuted.

Unless you do deep packet inspection, people may get clued in to your "mundane destination / port filtering" setup and start using other protocols like bittorrent on that port.

I actually saw this back when I ran an open network, in trying to prioritize bittorrent below ssh and interactive traffic. Some remote seeders will operate on port 22 or 443 because that's the only way they can reach the outside world. If an "Open Wireless Movement" using a standard VPN setup took hold, a similar thing might happen with that port.

Of course, without DNS only the savviest users would initially be able to exploit mundane destination port filtering, but it's only a matter of time before one of these users puts together a tool for the masses. So I still wonder about the plausible deniability of such a setup.

Couldn't you just limit each mac address to a single destination IP address? Put up a welcome page that explains what and why, maybe whitelist a few websites that help / provide software, and then lock them down to a single path beyond those.

I was primarily thinking of a whitelist of known VPN-only contact points, perhaps even a single public-interest VPN explicitly for this purpose. (Perhaps the EFF itself could run one.)

With that, you could only use other protocols with those limited destinations if they agree... which typically they wouldn't.