A network can publish a VPNDB record containing the IPv4 address, IPv6 address, VPN protocol, and other information about the network’s VPN server in its DNS zone.
A modified TCP stack could query the VPNDB record and establish the VPN session with the target network on the user’s behalf, if not already established, before initiating the connection to the target machine as usual.
Running a public VPN server with this scheme would ensure that a user is not inconvenienced with special setup for your network in order to access your network services in a secure fashion. For example, an internal server that requires end-to-end stream security, but uses a protocol that is known to be insecure, can be configured to refuse connections that do not originate from the internal network or the public VPN server. Another potential use would be in encrypting by default as much traffic as possible in order to foil law enforcement data loggers.
Of course, with respect to firewalling, a public VPN server should be treated with the same caution that an open wireless access point would.