Regarding the VPN part of the privacy appliance, it would be worth to look at the built-in capabilities of the clients which shall be connected. Most client OS's support dial-in L2TP/IPsec and/or IKEv2-IPsec connections out of the box, without needing to install any additional software. So, perhaps it is worth to simply go with those two VPN systems, which are easy to install on FreeBSD using security/strongswan and net/mpd5.
Regarding Thread 67704, I agree with steveharriss – of course I do, I am the author of dns/void-zones-tools, see also https://github.com/cyclaero/void-zones-tools. One special thing is worth to mention. In order the privacy cannot be bypassed by the clients using other DNS facilities (either the classic one on TCP/UDP ports 53 or the new fancy ones DoT on TCP port 853 or even DoH on TCP port 443 to 18.104.22.168/24, 22.214.171.124/24, and 126.96.36.199/9, you want to block these channels on the firewall of the appliance for access by the clients.