Problem: OpenDNS client (at least where registering IP addresses to be blocked) and VPN service doesn't mix.
Face it, lots of us love our privacy, or at least what little we can manage to squeak out on the Internet. Many of us use OpenDNS because we don't feel like our ISPs should be able to track our web-browsing habits by checking their nameserver logs (and face it, a lot of ISP nameservers are just plain slow).
A lot of us, including people who use OpenDNS for our DNS service, also use publicly-accessible VPN services. One popular service is Private Internet Access, which happens to be the one I use. :-)
How it works is that you use their client software (or even just a plain-old openvpn client) configured to log into them. When you do this and have connected, the IP address you appear to the rest of the world is now somewhere other than your home IP address which your ISP has assigned to you, which is referred to as your "external IP address" (since that's what the outside world sees you as). The thing is, you're not the only person who is using that address - a number of other clients who also subscribe to that same VPN service can also be using that same external IP address as they browse the web.
The idea of the OpenDNS client allowing people to block unwanted content is a fine and noble one, and has much use for those people who are using it. However, it is NOT a good mix when using a VPN service., because when someone using the OpenDNS client to register "their" address as being on their home, they're actually registering the external IP address that they're using as part of the VPN service. And the problem with that is that they are now blocking "objectionable" content (I.E., content that they want blocked) from everybody using the same VPN service who happens to be on that same external IP address (which, BTW, you don't have any control over which one gets assigned to you by the service). This is a big problem because it now allows someone who's not related to everyone else using the VPN to block content that those people might want access to.
Currently, the only way for someone who doesn't want the content blocked who is using the same VPN service is to open a ticket with OpenDNS to have the block removed and the external IP address added to a "do not register" list that OpenDNS keeps, which prevents that external IP address from being register-able in the future by other OpenDNS client users. But that's a slow process that can take a day or two for someone at OpenDNS to act upon, and since services such as Private Internet Access don't give the user control over what external IP address they use, the user who doesn't want content blocks can find him/herself blocked again the very next day. At which point, they get to open another ticket, etc....
I've been told by OpenDNS support that a warning about using the OpenDNS client with VPN services was posted somewhere (on the website? in the client itself?), explaining that the two shouldn't be used together (for reasons such as this), but the sad fact of the matter is that a lot of people don't read those warnings and just charge ahead anyway.
A very easy fix for this would be to have the OpenDNS client software not allow you to register your visible, external IP address with OpenDNS for content blocking purposes if it detects any of the VPN client software programs that it's aware of to be running on the computer where the OpenDNS client is running. A simple check of the process table would let the OpenDNS client determine if a known VPN client is running, and it could refuse to allow their external IP address to be registered. In general, openvpn.exe running would be one to watch for. For Private Internet Access, checking for the presence of pia_manager.exe would do it. As OpenDNS becomes aware of others, it could update the client with that information as well.
I strongly suspect that the number of people who are using OpenDNS as their name service is larger than the number of people who are using it for content filtering via the OpenDNS client. While I certainly understand that some people don't want certain types of content getting to their home computer/network and support them in being able to do so, their choices shouldn't be allowed to affect people outside of their own homes. People don't read the warning that was apparently given somewhere, and end up causing problems for people who want to get to websites that the OpenDNS client user decided to block. By having the OpenDNS client look for known VPN client software running on the computer and refusing to allow the visible IP address to be registered for blocking, this problem could be reduced or eliminated. And people who want the content blocking can still get it - they just have to turn off their VPN service while they do so (which is something that OpenDNS already advises, if I understand correctly from the support rep).
Thanks for considering this idea.
Please sign in to leave a comment.