Tracker Control - it basically checks for trackers that the apps use, and you can block internet access for individual apps. It’s also on f-droid.

On Android, there’s a VPN in f Droid that acts as a firewall, so you can say this app has internet this app doesn’t have internet

To ensure that this program only works with a VPN, you can set up a work profile require always on VPN in the Android settings, then this app running in the work profile must use the VPN no matter what

GrapheneOS has the internet kill switch built in for any app anywhere.

Depending on your threat model, you need to be very careful, just because an app doesn’t have direct internet access, doesn’t mean it can’t talk to Google Play and pass messages that way. In the Android model, apps can talk to each other consensually, and you can’t stop that

For desktop computers, we’d be talking about virtual machines and network names bases to enforce your policy rules. Qubes is the gold standard here.

Netguard is a FOSS Android app which kinda works like a firewall. You can allow/block network access on a per-application basis. You can limit access e.g. on WiFi or on mobile etc. It also supports blocklists, supplementing your ad blocker.

To the Android OS, Netguard acts as if it were a VPN.

Limitations:

• if you want to filter Android system services, you will break things. You will need to spend some time to do it right.
• Chaining it to another VPN is only possible via SOCKS proxy
• if you want to route some app’s traffic via VPN and others not, I think that is not possible. You could, however, manually turn off an app’s internet connection before disconnecting the VPN, if that is not too error-prone for you.

The app is very stable, I have been using it for about 5 years without problems. For most use cases it is fire-and-forget, i.e. I rarely open the app any more.

You should be able to kind of do both through android settings

Settings -> Apps -> YourApp -> Mobile data usage -> Allow Network access and Mobile Data

For VPN you’ll need to add a VPN and then Settings -> Network and Internet -> VPN -> YourVPN -> Always on VPN and Block Connections without VPN. This blocks all apps. There is 2 issues with this though, Blocking connections will block split tunneling connections set up through VPNs and also potentially this depending on the apps you’re using https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

Aside from what the others said, my VPN (also on GOS) has a kill switch function, i set it to maximum and this way the phone simply can’t connect to the internet at all unless it uses the VPN.

To prevent it using Internet at all, you can turn off individual apps access to WiFi and mobile data easily

To bind to a VPN, I use protonVPN, and I’m pretty sure the Android app has the split tunnelling feature to allow this as well. Not sure if that protects against leaks, but you could just have the VPN on all the time and use androids VPN settings to prevent any data usage outside the VPN

For the majority of connections you can. Some connections bypass your VPN and there is nothing you can do about it. Its been reported to Google by multiple groups, including Mullvad but Google refuses to fix this.

Not for android, but I use this for PC:

https://github.com/jamesmcm/vopono

You could try NextDNS. It won’t let you designate access per app, but you can create custom blocklists. Short-term logging makes it easy to see at a glance which domains are being requested, and it doesn’t take long to get it all set up so that your apps only contact stuff which is strictly necessary in your view. Also comes with many blocklists to choose from, as well as other useful settings.