VPN control not working - AFWall+ doesn't block / blocks when it shouldn't

[Michi-F]

What I want to achieve:
no Internet connection for any app when VPN is not connected

My setup:
Lineage OS 14.1, with integrated VPN client via Settings -> More -> VPN
AFWall+ in whitelist mode and enabled "VPN control"
grant mobile access to "(root) - Apps running as root" and "(vpn) - VPN networking", with this I can connect to my VPN Server over mobile data

Test 1: grant vpn access to browser, connect to VPN
Expected behavior: browser has internet access over the VPN
Actual behavior: browser doesn't have internet access

Test 2: disable vpn access to browser, grant mobile access to browser, connect to VPN
Expected behavior: browser doesn't have internet access (because VPN is connected, and browser doesn't have vpn access, only mobile access)
Actual behavior: browser has internet acces over the VPN (verified by checking the IP adress - the browser uses the IP of the VPN Server, not the IP of the phone via mobile data).

Summary
AFWall+ blocks when it shouldn't (VPN access granted) and doesn't block when it should (mobile access granted but no vpn access granted) when VPN is connected.

Without VPN, AFWall+ works fine (blocks internet access when wlan/mobile access is not granted)
Maybe this is related to #782 ?
My setup is more or less the same as in the screenshots from @Primokorn in #782 (comment), except that I don't use OpenVPN, but the integrated VPN client of Android/LineageOS.

Any ideas, or is this a bug and AFWall+ doesn't work with the integrated VPN client?

[walrus543]

There's indeed connectivity issues when the VPN service is used.
Some connections are blocked while it should be allowed.

Example with UID 1000:
IPv4rules.log

[s3342578]

Also affected when using ovpn client.

[clompsy]

For me basically the VPN toggle has no effect whatsoever.
An app with mobile data checked but VPN unchecked has access no matter if connected via VPN or not.
An app with mobile data unchecked but VPN checked has no access no matter if connected via VPN or not.

I stripped down the rules to a minimum:
IPv4rules.log
Whitelist mode, two apps taken into account (see screenshot):

• "imdb" -> mobile only
• "wrd" -> VPN only

Mobile data and VPN are active, I would expect "imdb" not to have access but "wrd" to have access.
But actually it is the other way: "imdb" works but "wrd" doesn't.
Same behavior when disabling VPN: "imdb" works but "wrd" doesn't.
Adding the mobile option to "wrd" makes that app works as well (no matter if VPN connected or not).

AFWall+ v3.1.0 installed via PlayStore.
Other than that using AFWall+ works fine, all rules are taken into account. But I'm struggling to have VPN any kind of impact.
VPN connection is done using the built-in Android VPN feature. IP check shows that requests (e.g. via browser once I allow it to use mobile data) are going through the VPN.

Here's the screenshot matching the IPv4rules.log above:

[TjrGithub]

I have this problem, too. Naively, I expected apps to use whichever type of internet is enabled in AFWall+, i.e. I can decide some apps go through the VPN-firewall, and others connect directly.

AFWall paid v3.1.0 from Fdroid,
LineageOS 15.1 Android8.1 from MicroG (https://download.lineage.microg.org/mido/lineage-15.1-20190403-microG-mido.zip)
Xposed 90-beta3 and XprivacyLua 1.24 Pro (no restrictions on AFWall)

VPN via Blokada 3.7.022000 FDroid.

[johncarterofmars]

I am having the same issue. LineageOS 16. If the VPN isn't connected, all apps are still able to access the net. I am using the ovpn client.

Have there been any updates for this?