I haven't coded anything up yet but I gave it some thought.
First - I think SmoothConnect does some sort of blacklist/whitelist based on wifi SSIDs, so that might be something to check out.
Disconnecting in response to another app's intent is easy. Connecting is often interactive, so I think it might work best if the following conditions are satisfied:
- VpnService confirmation dialog is bypassed. Arne Schwab made an Xposed module for this. I was thinking I might integrate a cut-down version of this feature into OpenConnect directly, so that if you install OpenConnect you'll automatically get an option in the Xposed Installer to always allow VPN connections from OpenConnect. Hopefully this doesn't have any ill effects if Xposed is not installed.
- You would probably want to use batch mode (or a passwordless cert) so that OpenConnect doesn't bug you for group/login/password on every connection. Does this currently work for you?