I haven't really sketched it out yet, but the key principle to implement is information splitting by having two tiers. The first knows who you are (sees real IP or has account info), but not the destination of your traffic. The second does not know who you are, but does know destination of traffic.