[Feature Request] Per-App Network Isolation & Routing Control

Layamir

GrapheneOS already lets us revoke the INTERNET permission per app, which is great. But there’s room to go further with granular, per-app network rules, especially when using VPNs, Tor, or local services.
I would like to:

Force an app to only use VPN, no fallback if the VPN disconnects (kill switch)

Allow apps to access only specific IPs or domains

Block access to local network (LAN) while on Wi-Fi

Route specific apps through different VPNs or socks proxies.

It gives users verifiable control over what each app can talk to reducing attack surface and stopping leaks even from compromised apps.
Advanced users already try to cobble this together with external tools, root, or VPN profiles but it should be native, clean, and secure.

ryrona

Layamir It gives users verifiable control over what each app can talk to reducing attack surface and stopping leaks even from compromised apps.

Unfortunately, apps within the same profile can communicate with each over using IPC, and often do, so adding per app network routing settings like this would not give any meaningful protection at all even for non-compromised apps. We would need App Communication Scopes feature first. Until then, putting apps in separate user profiles is the only meaningfully secure way.

Layamir

You're totally right that apps in the same profile can talk to each other via IPC, and without something like App Communication Scopes, we can't achieve full isolation between them. So yeah... separate user profiles are the only robust way to enforce strong boundaries right now.

That said, I still think granular per-app network controls have real value, even within a single profile. For example:

A per-app VPN kill switch can stop data leaks if the VPN disconnects, without affecting the whole profile.

Blocking access to specific IPs/domains or the local network can limit telemetry, fingerprinting, and attack surface, especially for apps that shouldn't touch LAN devices.

Routing different apps through different VPNs/SOCKS proxies can compartmentalize risk or bypass regional blocks, helpful for advanced users.

Even a compromised app can't just exfiltrate data if it’s locked to a certain proxy or domain set.
I totally agree that these controls won't stop IPC-based leaks or intentional collusion. But in practice, they still raise the bar significantly, especially in a defensivs setup and would nicely complement profile isolation when full separation isn’t practical.

Would love to see both App Communication Scopes and per-app network policies make it into GrapheneOS eventually.