Does mobile VPN encrypt incoming and outgoing traffic? I take it is given that they encrypt outgoing traffic, but do they encrypt traffic that comes back?

2nd Question.

Can a always on VPN replace a firewall? If I set the VPN to always on, and specify that no connections allowed unless VPN is on ( In settings > network & internet > VPN > (myVPNprovider) : Always ON + block connections without VPN.

My thinking is this: if all connections are encrypted, and all goes to the vpn server. Then, any attacks comming inbound should not work, unless Android is starting a listening service; accepting incomming traffic. And I have read that Android does not have any listening services.
How can I verify that incoming traffic to the phone is not connecting with the VPN turned on? I tried using nmap to find the phone in my lan, and nmap fails to find it, with the VPN on or off, Therefore I can't netcat to the phone to test.