I have struggled with this issue a LOT in a corporate setting. You will always have employees that will get around your filter. It is impossible to fully block it while keeping high usability. Your best bet is to work with Human Resources and ENFORCE disciplinary action for intentionally bypassing the content filtering. I don't know where you are from or how the laws are, but in the companies we work with, all users are required to sign acceptable use policies, and anyone caught intentionally bypassing safeguards is disciplined. It only took two employees being put on 1-week unpaid suspension to stop everyone from using proxies.
If you aren't going the HR route, you are signing up for a cat & mouse game. I would make sure you are capturing all DNS traffic and forcing it to openDNS. If you are running a domain, use a group policy to enforce proxy settings and disable users from changing them. This blocks proxy use for IE and chrome, but not firefox (Firefox does not enforce windows Proxy settings).
If you don't have any legitimate reasons for users to VPN or proxy out, you can consider blocking outbound to the following:
TCP 8000 (Common Proxy Port)
TCP 8080 (Common Proxy Port)
TCP 1723 (PPTP VPN)
UDP 500 (IP Sec VPN)
UDP 4500 (IP Sec VPN)
UDP 1701 (L2TP VPN)
These aren't going to stop everything. SSH tunneling and SSL VPN's are always hard to stop, but at least it raises the bar a bit. Also, users can always resort to SSL proxy sites like https://www.clearlydrunk.com/
. You best bet really is working on disciplinary action. There is no sense in making rules if you aren't going to enforce them.