Inbound traffic and outbound traffic before unlock

Emily

Always-on VPN is already set. The Graphene OS is auto-reboot as planned. However, I notice that the VPN icon did not appear until I unlock the screen after the reboot.
Is there any internet traffic outside the VPN tunnel before I unlock the screen?

DeletedUser127

Emily I don't believe there is a whole lot going on in BFU with storage encrypted. OS is booted and waits for first unlock, to start apps that are permitted to run at startup, including the VPN app. As soon as the always on VPN is on and there is network available, apps can connect to internet.

GrapheneOS

Emily Traffic is blocked when it's not available if you have the leak blocking toggle enabled.

Emily

GrapheneOS

DeletedUser127

DeletedUser127 OS is booted and waits for first unlock, to start apps that are permitted to run at startup, including the VPN app.

But before first unlock, I notice that WiFi icon appears on the screen while the VPN icon does not appear.

Does it mean that the WiFi is on the working status while VPN is not?
Does it mean the internet traffic could bypass always-on VPN setting before first unlock?

de0u

Emily But before first unlock, I notice that WiFi icon appears on the screen while the VPN icon does not appear.

Does it mean that the WiFi is on the working status while VPN is not?

Yes.

Emily Does it mean the internet traffic could bypass always-on VPN setting before first unlock?

It shouldn't, and the presence of the Wi-Fi icon does not mean it is.

When the device is rebooted and BFU, it is expected that the device, if it has a SIM and isn't in airplane mode, will connect to the cellular network to receive incoming calls and support outgoing emergency calls. If the cellular network icon is on that will not mean that anything is using the cellular connection, just that the connection is available.

When the device is rebooted and BFU, it is expected that the device, if it is near a Wi-Fi network it can sign in to, will connect to the Wi-Fi network. This can be useful if the device has Wi-Fi calling enabled, since the device could use the Wi-Fi network to receive incoming calls and support outgoing emergency calls. Also, system functions such as connectivity and network time (source) can use the Wi-Fi network.

If the Wi-Fi network icon is on that will not mean that apps that should be blocked by the VPN are using the Wi-Fi connection, just that the connection is available.

GrapheneOS

Emily Wi-Fi works before first unlock. That's not really relevant to this. If the leak blocking toggle is enabled, it blocks traffic from going out without the VPN. If the VPN supports Direct Boot, it can run Before First Unlock. If it doesn;t, it can't. Either way, leaks are blocked before and after the VPN is started with that toggle enabled.

BeepBeep

No one followed up with you, so...There are different layers in a network connection. ( See: https://www.freecodecamp.org/news/osi-model-networking-layers-explained-in-plain-english/ )

As I understand it, you have to establish a network connection before you can establish a VPN tunnel within that network connection. There has to be some basic handshaking going on apart from the VPN that your can't get away from. Depending on your app, you can, for example, disconnect from the VPN (traffic blocked) while remaining connected to WiFi. That doesn't necessarily mean your private data can escape.

However, this:
https://www.bleepingcomputer.com/news/google/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled/

I don't know whether I'm doing myself any good, but I restrict background operation on most apps I download.

Emily

BeepBeep
I am sad to know no one follow up with me.
Anyway, thanks for your reply.

DeletedUser127

Emily we are talking BFU here, OS is booted and services associated with it active, but what do you expect is going to use network with no apps running?

If you feel like reading the system log that contains the boot sequence with hardware initialization and subsequent process, just export it from

Setting > System > View logs

right after first unlock. Beware, it's a long reading.

Emily

DeletedUser127 Thanks for your reply.

de0u Thanks for your detailed explanation. The source you provided is really helpful for me to understand the default connections and WiFi status.

GrapheneOS

GrapheneOS Either way, leaks are blocked before and after the VPN is started with that toggle enabled.

Thank you. Your answer clears my doubt about potential traffic leak before first unlock.