I thought parts of the Android OS can by-pass the VPN so the firewall becomes ineffective against blocking Google, OEMs, and others that have root. Wouldn't the VPN API being used as a firewall also prevent one to use a VPN client at the same time?

for the latter, Rethink can be configured to work with eg. a wireguard VPN because it has a built-in wireguard client.

> Note though, Glasswire was recently acquired by another company

Ah that's why the premium stuff is now free. I was wondering. Let's hope it's not the first sign of enshittification.

> What do you mean by a "real" firewall?

In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.

It's a sad state that you cannot even set a static IPv6 on Android without root.

> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.

Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.

root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).

IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.

I think device you don't have root on isn't really yours and should be treated as a lease.

But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.