Hi, I am new to the site and new to the dark net in general. Before I do anything other than browsing and before I completely understand the concept of opsec, I do not plan on doing anything else.

My current mindset is like this:
ISP > VPN router with OPNsense or similar > Qubes main machine with disk encryption > Whonix anon VM which will be the main machine

My downside when it comes to privacy and anonimity is tehnical measures, I do not know much about this so I want to ask a few questions.

1) Which is better? VPN router or VPN on my actual Qubes/Whonix environment? Ive seen some of the posts here that say Tor + VPN is not a good idea, but what about a vpn router that has a firewall like pfsense/opnsense?

2) Public VPN that is trusted, bought anonimously, or OpenVPN with an offshore server located in a country with good privacy laws, such as Iceland or Netherlands? Manual log clearing?

3) Any links/guidelines on kernel hardening or anything related to properly securing main machine? Should kernel hardening be done on qubes, whonix or both?

4) What is the whonix gateway and are there any special measures needed to secure it as ive heard it interferes with the router?

5) If my setup is bad, could you suggest any other setups and explain why mine sucks (feel free to roast me, im kinda new to all of this)

Sorry if Im asking any dumb questions. Thanks in advance!