This post will probably only interest the very nerdy, tin foil hat subset of my friends. But I thought I’d share because figuring out the configuration took a lot of searching and trial and error. I like to use OpenDNS because it allows me to set filters for our family’s internet, which is just the sane thing to do. But I also want to run my internet traffic through a VPN so my ISP, facebook, the government, and other spies can’t tie my internet traffic to me. When you connect to a VPN, typically you connect to the VPNs DNS servers as well, but for OpenDNS to be able to do it’s filtering you need to have the requests come directly from your IP address. So how to send all your traffic, except your DNS queries through your VPN?
Enter the Asus router I bought because it could run an OpenVPN client, upgraded with the Asuswrt/Merlin firmware. (It seems Asus router firmware is a custom fork of Tomato, optimized for the Asus hardware, and the Asuswrt is a fork of that to keep the optimizations and the Asus perks, but also have a little more functionality, like custom routing for your VPN.) Once I upgraded the firmware I was able to adjust the settings for the OpenVPN as shown in the screenshot below. 
You need to turn on the ‘Policy Rules’ and then route your whole network to the VPN, then exclude traffic to OpenDNS’s IP address (you also need to set OpenDNS as your router’s DNS server over on the WAN page). You also need to add:
pull-filter ignore “dhcp-option DNS”
to the custom configuration, I think it needs to be above the line that says, “pull”, in order to override that setting. The next screenshot below shows that this works, my IP is in the Netherlands (my VPN exit), while my DNS is the OpenDNS servers closer to me, on the left you can see that I can’t access a dating site, one of my blocked categories (and a safe one to test!).
Does this slow me down a little bit? Sure, I have a fiber optic cable coming into the house, so if I used my ISP’s DNS server it’d be MUCH faster, but it’s hardly noticeable and the security that nobody in the house will stumble upon porn is worth it. Since most of the sites we visit are in English and probably hosted in America anyway, routing through the Netherlands doesn’t affect things much, a speed test doesn’t show too much deterioration, there’s a good pipe from here to there. I do have an option to go around this if needed (sometimes I need to connect directly to America or need to be not on a VPN period).
