SNI is not encrypted.

You need a box downstream of your ISP devices that encrypts all traffic out over a VPN. This is what I do.