Hello!
Is there way to use firewall where I could set up allowed IPs to connect via WIFI or Mobile network?
Some months ago I wrote about VPN leak when secondary profile starts : https://discuss.grapheneos.org/d/11694-rare-user-profile-bug-causing-broken-vpn-and-data-leak
Also I sent to @muhomorr logs about issue but I see now same problem.

I do not understand how to open secondary profile securely because it could be opened with "system service crashed" (VPN Service) and "block traffic without VPN" will NOT work in this case...

It happened very rarely buy it could leak traffic without VPN after start with crashed vpn service (system service, not app)

Or how to protect traffic if secondary profile suddenly opened but "system vpn service" crashed? In this case all traffic are going through WIFI or mobile data without VPN and system protection does not help at all.

Also, sometimes I see that DNS traffic leak. It is not good for privacy.

Another OS provides Firewall but I want to keep GrapheneOS and do not want to switch.. but... privacy problem is more important for that vulnerable and exploit protection.

    And no, it could be happened with Wireguard, ProtonVPN and OpenVPN apps, problem does not depend on VPN app because system service crash.

    I think that I have an answer for you. I use ProtonVPN, and it has a setting that allows you to use a Kill Switch, so when there is a disconnect while you are online, the Kill Switch takes over and blocks all traffic in and out. ProtonVPN is "free" or you can pay for more. ProtonVPN and ProtonMail, etc. headquartered in Switzerland, and can be reached at https://protonvpn.com/.

    Good luck.

      skatup As I wrote before, ProtonVPN traffic leaks sometimes too.
      If system vpn service crashed, no one app could establish connect with VPN because system service did not load.
      In this case nothing could protect traffic. Only firewall but as I understand, it does not possible on this OS

      AlphaElwedritsch I tried their firewall and it works well. But it could just block traffic without VPN, cannot set allowed IPs ;(

      but I really want to use same on GrapheneOS...