[BUG] On a GrapheneOS User Profile, Orbot fails SILENTLY, apps connect seamlessly over clearnet

[new-phone]

Describe the Bug
Orbot on new User Profile does not connect or provide VPN to any apps. (Graphene OS). Fails silently, despite onion icon visible. Apps connect in clearnet.

To Reproduce

1. Make new user profile on GrapheneOS install (note, no relevant settings have been knowingly altered in Owner)
2. Install Orbot from Google Play in Owner profile, push to new profile
3. Launch profile, review settings in Orbot but make no changes (I'm a noob) - Orbot declares it will provide VPN to all apps. Note onion icon in tray.
4. Separately, use Tor Browser with its own connection - works as expected.
5. Use apps, Infinity_for_reddit, Vanadium browser.
6. discover that Vanadium browser loads whatismyisp.com with correct, real ISP location
7. Freak out.
8. Review settings: selecting apps does nothing; connection is by bridges <-- thought I saw that somewhere, but cannot find it in settings now (very tired).
9. Tried different settings, (below), no success

Expected Behavior
If the app says its providing a VPN for all apps, it should provide VPN for all apps.

It should NOT fail silently.

If there are special config considerations, they should be announced in a first-run dialog/wizard, in-app.

If the app needs to be integrated into the operation of e.g. Android VPN settings, instructions should be provided in-app (VPN settings are not self-evident).

Consider also a 'fail-safe' mode, where apps fail to make connections without functional Tor connection.

EDIT II : Actually, failsafe is apparently already built in to Android. See instructions here on Graphene OS forum. For this issue, I just don't understand why it didn't work.

EDIT I: The onion icon is displayed in the tray at all times, regardless of connection status. This is deceptive. If you insist on having an icon at all times, consider an 'empty onion' to indicate lack of connectivity, or a 'strikethrough onion' for no VPN services, or something like that. It has to indicate status.

What Custom Configuration Do You Use?
Installation as above. Didn't understand the config options, so left them be for first couple of sessions.
Later, tried the options:

• isolate destination addresses
• selected apps to use VPN
• change exit
• refresh
  but don't seem to have an effect

Screenshots
No screenshot, but log highlights (different device, retyped here) include:

• Tor is no longer dormant
• No circuits are opened. Relaxed timeout for circuit 373... to 6000ms...
• Heartbeat: Tor's uptime is 6:00 hours, with 5 circuits open ... sent 3.29MB and received 2.43 MB
• etc. There's not much, really.

Also the message:

Proxy Ports
HTTP:8118 - SOCKS: 9050

Orbot 17.3.2-RC-1-tor-0.4.8.12
Tor v0.4.8.12

Smartphone (please complete the following information):
Pixel 8a, GrapheneOS Android 14 (all updated)

Crash Logs (Advanced)
If applicable, add crash logs collected using ADB Logcat.

Additional Context
See additional steps in comments.

[jcfyre]

I really like your idea of a failsafe: Either a stable Tor connection or a forced failed connection to be able to safely keep apps offline until reconnected.

[new-phone]

Tried closing and restarting, got a dialog about establishing a VPN.

Managed to briefly get a connection, but shortly after all connectivity failed.

Orbot declares "connected" in all cases.

[new-phone]

Made new profile, only added Orbot (Vanadium default installed).

Got first run establishing VPN dialog. No other setting touched. Vanadium showed connection over Tor - whatismyipaddress.com shows exit in Saskatchewan, Canada.

Refreshed, doubled-checked exit nodes (global), refreshed again - each connection exits in same Canadian location, but IPv6 and 4 addresses are different.

[new-phone]

Finally (not spending more time on this), its not re-establishing a connection in original profile.

Refresh, off-on again has no effect.

• Press the "Turn Tor off" option --> "Ready to connect" screen. Tray icons change.
• Without connecting again, all traffic on Vanadium is now/still blocked.
• checking with Orbot again, it says its "Connected" - I did not initiate that.
• all apps are deselected in Orbot, displaying "Full Device VPN"

[new-phone]

@jcfyre

I really like your idea of a failsafe: Either a stable Tor connection or a forced failed connection to be able to safely keep apps offline until reconnected.

Actually, its apparently already built in to Android. See instructions here on Graphene OS forum.

How well that would work on stock or other variants (i.e. with functional Google Play), I don't know but wouldn't trust it.

For this issue, I just don't understand why it didn't work / didn't prompt me to set it up on first run (I can't remember which, it was days ago now).