@jhamons 

"a VPN on our router"

A VPN client program normally does not run on the router, but on the end user device, unless someone else has full access to the router's administration and knows how to install a VPN client on it.  Therefore "using a VPN from their iphone" is the better expression.

iPhones (i.e. iOS) has nice restrictions built in.  Visit Settings > Common > Restrictions to impose them.

Regarding blocking VPN traffic on the router, you'll want to create outbound firewall rules which block the related ports and protocols.  Most VPN traffic is UDP, rarely TCP.  Just blocking non-OpenDNS DNS traffic will not catch the VPN traffic.

Ok --- can I tell by looking at Domains in the logs if  aVPN is being used?

If a VPN is being used --- would domains still show in logs?

Rotblitz,

I think Jhammons described it correctly.  They wanted to know if someone in his family may use a VPN client  to bypass the OpenDNS logs, and presumably the restrictions. 

Havng spent a fair bit of time trying to restrict this on our network, I wanted to share observations.

- blocking VPN ports typical used will block normal VPN clients, but not the ones used by half the student population in any given high school. 

- it's also important that you don't simply let someone change the DNS settings.  Unless you really lock down an iPhone, it's easy to type in Google DNS and it will be resolved by Google, even if you had Open DNS in the router.  You have to explicitly prevent another DNS service by restricting the ports to only pass traffic to the OpenDNS.

- clients like Betternet can be blocked by continually updating the ports typically used by the app. I've been successful with searching for this and seeing lists posted. 

- I have still not had luck blocking TouchVPN. I understand it is not really a VPN, but an SSL encrypted connection to a proxy, and short of blocking normal browsing, you would have to know all of the IP addresses used in advance to block them in the firewall. I seem to have figured out a few, and it takes a while for the client to establish a connection....but it does. 

All of this in not specifically related to OpenDNS, but if Jhammons was like me, they thought setting up OpenDNS would be the way to keep the users on their network from accessing the sites they blocked.  I learned it's not so easy. 

I'd love some advice on TouchVPN ( Northghost ).  

Jhammons,

What I tend to see is the domain like Betternet or Northghost blocked by OoenDNS, but the client still functions.  Once the client link is established they are tunneled and all you will see is a LOT of SSL and Secure HTTP traffic, presumably due to all the video traffic. Don't get too hung up on blocking only VPN though, it's relatively easy to block normal VPN clients. Most routers, even consumer ones have settings to do this.

 The clients you are trying to block use a variety of techniques.... I am still learning about one called Hydra, which is multi-hop, multi- destination.  

I am not a professional IT person, but I started with OpenDNS and found my adversaries were far more sophisticated than me!

at this point --less interested in actually blocking and more just interested in seeing if it is being used.

@jhamons 

Clearly, because VPNs circumvent OpenDNS, you cannot see anything in the OpenDNS stats and logs.  To catch this traffic, you had to run a sniffer or a proxy server in your network where all traffic must go through.  Only the DNS traffic served by OpenDNS appears in the stats and logs.

Thank you -- I clearly don't know what I'm talking about.

You know what you're talking about.  And I'm sure you understand now that OpenDNS can log only DNS traffic which they see from you, not DNS traffic going to a VPN's DNS service.