We're all running some bespoke setup, and probably each planning something more-advanced and more-bespoke, just to overcome bugs in browser implementations. What we all actually need is a browser developed with the goal of being secure by default, rather than shrugging off eg the leaking of network config / window size / rendering engine nondeterminism / etc.
I used that one to route all of my GMail stuff over my server. This is done transparently to Thunderbird, by launching it in its own network namespace. That way, I don't get these annoying "Someone has your password" messages when travelling.
That's close to what I'm using (I have only one route-script for OpenVPN which is pretty much the same, but handles both up and down commands from VPN client). To make DNS work properly, there should be a resolv.conf file in /etc/netns/$netns_name/ (directory has to be created manually).
I should generalize my stuff and push it to Github...
