I have used GrapheneOS for several weeks since I got rid of my old Samsung and I know that if you install a VPN GrapheneOS turns on Always-On VPN and Block Connections by default.
It works when the device is unlocked but once I reboot or update I don't see the 'Always-On/Block Connections without VPN Lock' icon on the screen before unlocking the device. I have sandboxed Google Play installed and I see GMScompat starting (Play store starts without the vpn connection?) and GrapheneOS downloads updates before unlocking without the VPN connected. The Always-on blocking doesn't seem to start before I unlock. After unlocking the device the Always-On VPN icon will appear in the corner after some delay.

From what little I understand about the system log files it looks like the VPN manager doesn't start before first unlock and the VPNAlwaysOnService from my provider (PIA) starts several seconds later.

I never had this with Samsung One UI, when I started the device it would be blocking all traffic before I unlocked the device but I don't think this is the case with GrapheneOS.
It looks like it has full connection and isn't blocking anything before I unlock and wait for my VPN app process to start.

Help is appreciated if anyone has any information about this or knows of a solution!
I want my device to block all connections before unlocking and after unlocking the device until my VPN connects like it did on my Samsung.

    FOSSOS
    When you boot your device, its in BFU state until you unlock your device and it enters AFU. This means its encrypted and apps cannot run on your device. I imagine this includes your VPN running as well, but it wouldn't need to run anyway since no other apps can run either and so no app connections need to be encrypted.

      Dumdum ok but on my Samsung device the Always-On VPN service started BFU by showing the icon on the lock screen. GMSCompat (Google Play?) does start running BFU. There is a pretty long delay before the Always-on icon appears AFU (and the VPN often fails to connect several times on GrapheneOS, I do not have that issue on other android devices). We can't set priority on what loads first so how can I be sure nothing leaks AFU before Always-On loads? It does not look like GOS loads the Always-On/Block setting before the VPNAlwaysOnService from my VPN provider loads while the OS knows a VPN provider is set.

        FOSSOS GMSCompat (Google Play?)

        GMSCompat is Graphene's compatibility layer for the Play Store, so no its not Google Play. GMSCompat and anything else loading/running in BFU state are system apps/components, not user apps.

        There is a pretty long delay before the Always-on icon appears AFU

        Not for me. Takes a second or 2 at most. Might be worth reporting on the github tracker.

        and the VPN often fails to connect several times on GrapheneOS

        Again, not for me. I connect to VPN fine. Either a problem with your VPN or, since you stated its fine on stock Android, it might again be worth reporting on the tracker.

        how can I be sure nothing leaks AFU before Always-On loads?

        As long as Block Connections without VPN is on, I doubt there would be. But if you can produce any evidence that leaks are occurring, you can report them to the team.

          Dumdum

          Dumdum GMSCompat is Graphene's compatibility layer for the Play Store, so no its not Google Play. GMSCompat and anything else loading/running in BFU state are system apps/components, not user apps.

          If it's only the compatibility layer that loads it is fine. As long as the Play Store does not connect before a connection is established or Always-on starts blocking.

          Dumdum Not for me. Takes a second or 2 at most. Might be worth reporting on the github tracker.

          It takes about 10 seconds to load the Always-on icon AFU. I don't know if that's slow on a Pixel 8 Pro.

          Dumdum Again, not for me. I connect to VPN fine. Either a problem with your VPN or, since you stated its fine on stock Android, it might again be worth reporting on the tracker.

          It might be the app. Sometimes it starts without any problem and runs for days. Sometimes it doesn't try to connect at all unless I open the app or reboot to try again and sometimes it connects and disconnects a few times.

          Dumdum As long as Block Connections without VPN is on, I doubt there would be. But if you can produce any evidence that leaks are occurring, you can report them to the team

          I can't. I can barely understand the log and I don't know how the load order works. The only thing I can do is report what is visible. Which is no visible lock icon on screen for about 10 seconds AFU while the OS knows I have a VPN provider set. I am used to always seeing the lock icon when I start a device without GOS even BFU but I would expect it to show immediately AFU because GOS should know a VPN provider is set.