Using Private Internet Access VPN with OpenDNS filtering/protection

Short answer:  You can't.

Wish I'd known this before spending half a weekend figuring out how to change client DNS servers by MAC or IP address.

If you try to reset your router or PC to the OpenDNS DNS server addresses, it will not work.  DNSleak will still report you using the PIA DNS server(s) associated with PIA, such as 209.222.18.218.

The reason is that PIA forces you to use these servers.  From the OpenDNS support system:

DNS Servers Keep Changing Away from OpnDNS Automatically

3) 209.222.18.222 and 209.222.18.218:

You are currently using a privateinternetaccess VPN service. This service's VPN client automatically sets your DNS servers to 209.222.18.222 and 209.222.18.218 and cannot be changed while you are connected to the VPN. Unfortunately, there is no way around this, and you will be unable to use OpenDNS while connected to this type of VPN client.

Solutions: Cease using privateinternetaccess for VPN service and switch providers to one that supports a standard VPN client if you wish to use OpenDNS over the VPN."


I do not currently know which other VPN services support the use of OpenDNS.  Research to date suggests that Hide My Ass! and TorGuard do or can use OpenDNS, so one presumes that the parental access restriction and online content filtering services offered by OpenDNS would be supported by HMA! and TG.  I have not taken any steps to verify this.

(Note: I do not work for any of these companies, nor have I used their services, and so am not endorsing them in any way.  In fact, I would personally rather avoid HMA! since they are on record as cooperating with U.S. and U.K. authorities by providing their log files, which rather defeats the purpose of a VPN.  PIA and many other providers state they do not log, period.  Just information, use as you see fit.)


Incidentally, for anyone planning to set up restrictions on their kids internet access, you might want to consider this tidbit from Linksysinfo.org, posted by "JeffD":

"Just an idea thinking about the problem of a parent restricting children I came across this thread and have a slightly different approach to what others might consider for setting up the router's DNS values.

It may be better to make the kid-safe DNS the router's default and add exceptions for the parent's devices. This way, as long as the parent can keep the kids from becoming admins there's less chance will accidently get access to the unrestricted DNS addresses. As new devices (xbox one replaces 360, PS3, PS4, etc) come online, by default, they are restricted until the parent white lists them into the unrestricted DNS list. "

This does solve the problem of unknown and/or new devices potentially bypassing the content filtering.

Note that if you do this then the majority of your devices will be leaking their DNS lookups rather than running them through your VPN.  However, this appears to be a necessary trade-off to use services such as OpenDNS content filtering - you can either use secure VPN lookups, or content-filtered lookups, but nobody has fully integrated the two (except, possibly, HMA! noted above).

Besides, tour own personal devices will still run through the VPN, so you're OK, and I don't think it matters too much what lookups your Xbox and TV might do.