IMHO stock OpenBSD is a better start. Concise and secure. Sending all traffic through a VPN is probably a bad idea, it is better IMO to put /some/ traffic through the VPN that you want separated. Private browse through VPN, preferably in a VM. The "I'm not a robot" thread (https://news.ycombinator.com/item?id=19155643) from a few days ago showed just how much can be gleaned by javascript, that's probably enough to work out if your private browser is on the same computer as the non-private.