Opendns is trivial to by pass in many ways. The VPN solution will get past most anything. To get past opendns all you need to do is change the dns to something other than the router like 22.214.171.124 or 126.96.36.199. Even if your were to block the DNS port the user can always put in host table entries.
Opendns pretty much only stops those who choose to be stopped by it.
The other method companies like mine use is a proxy server. Since you do not have direct access to the internet you must ask the proxy to get you anything you want. Also since they proxy does not pass other protocols there WAS no easy way to bypass it.
Now we get TLS/SSL VPN. These appear to be HTTPS traffic and can bypass anything. The only way to even attempt to block these is to try to keep a list of hosting centers that offer this form of VPN. Nothing you can do about the ones people use their home internet or another private vpn server.