If you searched for VPN split tunneling explained, the short answer is this: split tunneling lets you decide which apps, websites, or traffic routes use your encrypted VPN tunnel and which ones use your normal internet connection. That flexibility can improve speed, reduce app conflicts, and keep local services working — but it also creates real privacy and security trade-offs.
This tutorial explains how split tunneling works, when it helps, when it is risky, and how to configure it more safely using only evidence from the researched sources.
1. What VPN Split Tunneling Means
VPN split tunneling is a VPN feature that divides your internet traffic into two paths:
| Traffic path | What happens | What websites/services see |
|---|---|---|
| VPN tunnel | Traffic is encrypted and routed through the VPN server | The VPN server’s IP address |
| Direct internet connection | Traffic bypasses the VPN and uses your regular ISP connection | Your real IP address and location |
Fortinet defines VPN split tunneling as the ability to route some application or device traffic through an encrypted VPN while other applications or devices access the internet directly. TechRadar describes it similarly: you choose which apps are covered by the encrypted VPN tunnel and which bypass it.
In a normal full-tunnel VPN setup, 100% of your internet traffic is routed through the VPN by default. Split tunneling changes that default by letting you choose exceptions.
Key insight: Split tunneling is not mainly a security upgrade. It is a control and usability feature. It helps you decide where VPN protection is necessary and where a direct connection is more practical.
For example, you might keep your browser, email client, and messaging app inside the VPN tunnel, while allowing your banking app or local printer connection to bypass the VPN because those services may not work well through a VPN server.
The benefit is flexibility. The trade-off is that any app or site outside the tunnel no longer gets the VPN’s IP masking or encryption.
2. How Split Tunneling Works Behind the Scenes
To understand VPN split tunneling explained technically, start with what a VPN normally does.
When you connect to a VPN through a client app, the VPN creates a new network interface — often described as a virtual network adapter. Your device’s traffic is then routed through that adapter so the VPN can encrypt it and send it through a VPN server.
According to the WhatIsMyLocation technical guide, a VPN client can also rewrite the routing table on your device so traffic flows through the VPN interface. With split tunneling enabled, the VPN client adds more specific rules that tell only certain traffic to use the VPN.
The two-stream model
Split tunneling creates two traffic streams:
Encrypted VPN stream
This traffic goes through the VPN tunnel. Your ISP and local network observers cannot see the contents of the traffic, and websites see the VPN server’s IP address.Direct internet stream
This traffic bypasses the VPN and uses your ordinary internet connection. It is not encrypted by the VPN, and websites can see your real IP address and location.
TechRadar warns that when you exclude an app from the VPN tunnel, you are essentially “turning off” the VPN for that app.
How routing rules are applied
Different split tunneling methods use different rule types:
| Rule type | How it works behind the scenes | Example use |
|---|---|---|
| App-based rules | Intercept traffic at the application or process level before it reaches the network stack | Exclude a banking app from the VPN |
| URL/domain-based rules | Use hostname or domain rules, sometimes involving local DNS behavior | Route a specific website outside the VPN |
| IP-range rules | Add specific CIDR/IP routes pointing to the VPN or direct gateway | Route corporate IP ranges through VPN |
| Inverse split tunneling | Only selected apps/sites use the VPN; everything else goes direct | Protect only work apps or financial apps |
This is why split tunneling can be more precise than simply turning your VPN on or off. You can keep the VPN active for sensitive activities while avoiding VPN-related problems for services that need your real location or local network access.
3. App-Based vs Website-Based Split Tunneling
Not every VPN implements split tunneling the same way. Some VPNs let you choose apps. Others let you choose websites or domains. Some support both. A smaller number support inverse split tunneling.
Security.org notes that split tunneling settings in a VPN app generally affect the whole device, while split tunneling in a browser extension affects only browser traffic.
App-based split tunneling
App-based split tunneling lets you choose specific applications that should either use or bypass the VPN.
For example:
- Browser: Keep Chrome, Firefox, or another browser inside the VPN tunnel.
- Banking app: Let the banking app bypass the VPN so the bank sees your real location.
- Gaming app: Exclude the game to reduce latency.
- Printer utility: Exclude it so it can communicate with local network devices.
TechRadar says most implementations let you choose apps on an exclusionary basis, meaning the VPN protects everything except the apps you exclude. Some VPNs also let you choose only specific apps to use the VPN connection.
Website-based or domain-based split tunneling
Website-based split tunneling lets you create rules for URLs, hostnames, or domains.
Security.org describes URL/domain exclusion as more granular because you can specify exact websites or entire domains. For example, an organization could exclude a company domain while keeping other browsing protected.
Website-based rules can be useful when only one site has trouble with your VPN, but you do not want to exclude your entire browser.
Inverse split tunneling
Inverse split tunneling flips the usual model. Instead of choosing what bypasses the VPN, you choose what must use the VPN. Everything else uses the direct connection.
Security.org says this approach is useful when you only need to secure specific activities, such as work applications or financial transactions.
| Split tunneling type | Default behavior | You choose | Best suited for |
|---|---|---|---|
| Standard app-based split tunneling | Most traffic uses VPN | Apps that bypass VPN | Keeping VPN on while fixing app conflicts |
| Website/domain split tunneling | Browser or web traffic follows rules | Specific URLs/domains | Sites that block VPNs or require local IP |
| Inverse split tunneling | Most traffic bypasses VPN | Apps/sites that use VPN | Securing only selected sensitive activity |
| IP-range split tunneling | Traffic follows routing table rules | IP ranges or CIDR blocks | Advanced corporate or network routing |
At the time of writing, source data indicates that Windows and Android tend to offer the broadest split tunneling support. Apple platforms may have restrictions because of operating system design and sandboxing requirements, and VPN providers do not always offer the same split tunneling features on every device.
4. Best Use Cases for Split Tunneling
Split tunneling is most useful when a full VPN tunnel creates speed, access, or compatibility problems. The strongest use cases from the research are below.
1. Access banking apps that block VPN traffic
TechRadar and Security.org both identify banking apps as a common reason to use split tunneling. Some banking apps block VPN IP addresses or flag logins from unfamiliar locations.
With split tunneling, your banking app can connect directly using your real IP address while the rest of your device remains protected by the VPN.
- Use VPN for: Browser, email, messaging.
- Bypass VPN for: Banking app that rejects VPN logins.
- Why it helps: The bank sees the location it expects.
2. Improve gaming performance and reduce latency
VPNs can slow traffic because data is encrypted, decrypted, and routed through an extra server. TechRadar notes that low latency is important for online gaming and that split tunneling can help by sending gaming traffic through the default connection.
Security.org also says VPN tunneling can reduce speed because all communications go through VPN encryption and VPN servers. In its testing framework, it considers anything below a 40% reduction in speed to be “pretty good,” and says many VPNs do not meet that benchmark.
- Use VPN for: Sensitive browsing and communication.
- Bypass VPN for: Online games.
- Why it helps: Avoids the added VPN path for latency-sensitive traffic.
3. Keep access to local printers, NAS devices, and LAN resources
Fortinet and TechRadar both mention local-area-network access as a practical split tunneling use case. A full VPN tunnel may interfere with local devices such as printers, file servers, or NAS devices.
Split tunneling can allow local traffic to stay on your LAN while internet-facing apps continue to use the VPN.
- Use VPN for: Internet apps.
- Bypass VPN for: Local printer, NAS, or file-share traffic.
- Why it helps: Keeps local network discovery and access working.
4. Use local services while traveling
When traveling, you may need both VPN protection and local access. TechRadar gives examples such as checking local news or weather while keeping other work or personal information secured through the VPN.
Fortinet also notes that split tunneling can help when websites or search engines work best when they know your location.
- Use VPN for: Work apps or sensitive browsing.
- Bypass VPN for: Local news, weather, or location-dependent services.
- Why it helps: Avoids location mismatch problems.
5. Avoid streaming or website VPN blocks
Some services block VPN users. TechRadar notes that VPN providers may try to maintain access to many sites, but it is not possible to unblock everything. Shared VPN IP addresses can also trigger more captchas.
Split tunneling lets a blocked service use your direct connection instead of the VPN.
- Use VPN for: Other apps and browsing.
- Bypass VPN for: The service that blocks VPN traffic.
- Why it helps: The service sees your regular IP address.
6. Conserve VPN bandwidth for sensitive traffic
Fortinet says many organizations experience VPN bandwidth restrictions because traffic must be encrypted and sent to a server in another location. Split tunneling can help by sending less-sensitive traffic outside the VPN.
This can be useful when the VPN should be reserved for sensitive files, email, or work applications.
| Use case | Route through VPN | Route directly |
|---|---|---|
| Banking app conflict | Browser, email, messaging | Banking app |
| Gaming latency | Sensitive browsing | Game client |
| Local printer access | Internet apps | Printer/LAN traffic |
| Travel | Work and personal sensitive apps | Local news/weather |
| Streaming block | Other apps | Streaming app or site |
| Limited VPN bandwidth | Sensitive work data | Low-risk traffic |
5. Security Risks and Privacy Trade-Offs
Split tunneling is useful, but the security risks are real. The main risk is simple: traffic outside the VPN tunnel does not receive VPN protection.
Critical warning: Any app that bypasses the VPN may reveal your real IP address and location, and its traffic is not encrypted by the VPN.
Risk 1: Your ISP can see direct traffic metadata
When traffic bypasses the VPN, it uses your normal internet connection. TechRadar explains that this traffic appears to come from your local network, revealing your real IP address and location.
That does not necessarily mean every app’s content is readable — many apps use their own encryption — but the VPN is no longer protecting that path.
Risk 2: DNS leaks become more likely
The WhatIsMyLocation guide warns that split tunneling can increase the risk of DNS leaks if DNS queries are routed outside the VPN. In that case, your ISP may see which domains you are looking up even if some page traffic goes through the tunnel.
This is why DNS leak testing is commonly recommended after configuring split tunneling.
Risk 3: WebRTC may expose your real IP
The same source also warns that browsers communicating outside the VPN may reveal your actual IP address through WebRTC. This is especially relevant if you exclude a browser from the VPN tunnel.
Risk 4: VPN security features may be bypassed
TechRadar notes that traffic excluded from the VPN may also bypass the VPN provider’s anti-malware checks or site blocklists. That can expose users to malicious websites, third-party tracking, or spyware that the VPN’s protections might otherwise help block.
Risk 5: Corporate monitoring and controls may be bypassed
Fortinet gives a business-focused warning: split tunneling can let users bypass proxy servers, DNS protections, data-loss-prevention systems, and other corporate security controls. If a remote worker’s device is compromised while using split tunneling, the organization’s network can remain at risk.
Fortinet also explains that proxies can help limit traffic to questionable websites, monitor usage, and block communication with command-and-control servers. Split tunneling may prevent corporate IT from seeing some risky traffic.
Risk 6: Misconfiguration can create false security
TechRadar warns that split tunneling can create a false sense of security. If a user excludes a browser for one session and forgets to reverse the setting, they may later expose their real IP address on other sites.
The same source also mentions that incorrect implementation can cause traffic that should be covered by the VPN to fall back to the normal connection. It cites an ExpressVPN split tunneling implementation that led to DNS leaks, later fixed.
| Risk | What can happen | Safer practice |
|---|---|---|
| Real IP exposure | Excluded apps show your real location | Exclude only apps that need it |
| DNS leaks | ISP may see domain lookups | Run a DNS leak test after setup |
| WebRTC exposure | Browser may reveal real IP | Test browser leaks if excluding browsers |
| Bypassed VPN protections | VPN malware/site blocking may not apply | Keep risky browsing inside VPN |
| Corporate policy conflict | Security monitoring may be bypassed | Follow employer VPN rules |
| Forgotten exclusions | Long-term privacy loss | Review split tunneling rules regularly |
6. When You Should Not Use Split Tunneling
Split tunneling is not appropriate for every situation. In some cases, a full VPN tunnel is safer and simpler.
Avoid split tunneling on public Wi-Fi for sensitive apps
TechRadar warns that unprotected data can be exposed to attackers, especially on unsecured networks such as public Wi-Fi hotspots. If you are on public Wi-Fi, avoid excluding apps that handle sensitive data unless you are confident those apps encrypt their own traffic and you understand the exposure.
Avoid it if your employer requires full-tunnel VPN
The WhatIsMyLocation guide notes that many IT policies require full tunnel VPNs so the company can monitor traffic and enforce security policies. Fortinet also highlights the risk of bypassing corporate DNS, proxy, and data-loss-prevention systems.
If you are using a managed work device, do not enable split tunneling unless your IT policy allows it.
Avoid excluding your main browser unless necessary
Your browser handles many types of activity: search, email, payments, work apps, cloud storage, and account logins. If you exclude the whole browser, all of that web activity bypasses the VPN.
If only one website has trouble with the VPN, website-based exclusion is safer than excluding the entire browser — if your VPN supports it.
Avoid it if you cannot verify the result
Split tunneling should be tested. If you do not know which apps are inside the tunnel and which are outside, you may assume you are protected when you are not.
Avoid it for high-risk or unknown apps
The NetworkDNA source notes that split tunneling increases the attack surface because some traffic bypasses VPN protections. Unknown, untrusted, or high-risk apps should not be given direct internet access simply for convenience.
Rule of thumb: If privacy, anonymity, or corporate security controls matter more than speed or compatibility, use a full VPN tunnel instead of split tunneling.
7. How to Set Up Split Tunneling Safely
Exact setup steps vary by VPN provider, operating system, and app version. At the time of writing, the researched sources mention split tunneling support across major VPNs including NordVPN, Surfshark, ExpressVPN, Proton VPN, PrivadoVPN, Mullvad, and Private Internet Access, though availability can differ by platform.
Security.org notes that providers may use different names. For example, ExpressVPN may refer to routing lists, NordVPN to app split tunneling, and Surfshark to Bypasser.
Step 1: Confirm your VPN supports split tunneling on your device
Do not assume support is identical across platforms. TechRadar notes that providers are inconsistent across devices, especially on mobile clients. Security.org says Windows and Android tend to have the most comprehensive support, while Apple operating systems may restrict some implementations.
- Windows/Android: Often broader split tunneling support.
- macOS/iOS: May have restrictions or limited methods.
- Browser extensions: Rules may apply only to browser traffic.
Step 2: Decide your default model
Choose between standard and inverse split tunneling.
| Model | Best when | Example |
|---|---|---|
| Standard split tunneling | You want most traffic protected by VPN | Exclude only banking app and printer |
| Inverse split tunneling | You want only selected apps protected | Tunnel only work app and financial site |
For most privacy-conscious users, standard split tunneling is usually the safer starting point because the VPN remains the default for most traffic.
Step 3: Keep sensitive apps inside the VPN
The WhatIsMyLocation guide recommends keeping browsers, email clients, messaging apps, and torrent clients in the VPN for a privacy-conscious setup.
Based on the source data, a reasonable baseline is:
- Keep in VPN: Browsers, email, messaging, sensitive work apps.
- Exclude only when needed: Banking apps, local network tools, smart home apps, OS update services, or services that break under VPN.
- Review carefully: Streaming and gaming apps, depending on whether speed or location privacy matters more.
Step 4: Enable split tunneling in your VPN settings
The NordVPN example from the WhatIsMyLocation source gives a typical workflow:
- Open settings in the VPN app.
- Find Split Tunneling.
- Enable Split Tunneling.
- Choose a mode, such as disabling VPN for selected apps or enabling VPN only for selected apps.
- Add apps that should be routed outside or inside the VPN.
- Connect to a VPN server.
- Verify IP behavior in tunneled and excluded apps.
This workflow is representative, but menus and terminology vary by provider.
Step 5: Use a kill switch alongside split tunneling
A kill switch and split tunneling are different features.
| Feature | Purpose | When it applies |
|---|---|---|
| Split tunneling | Intentionally routes selected traffic outside the VPN | Always, based on your rules |
| Kill switch | Blocks internet access if the VPN drops unexpectedly | Only when the VPN connection fails |
The WhatIsMyLocation guide recommends using a kill switch alongside split tunneling. The kill switch helps prevent accidental exposure of traffic that is supposed to remain inside the VPN tunnel.
Step 6: Test for leaks
After setup, test whether your traffic is behaving as expected.
- IP check: Confirm tunneled apps show the VPN IP and excluded apps show your real IP.
- DNS leak test: Check whether DNS queries are escaping the VPN unexpectedly.
- WebRTC leak test: Especially important if a browser is excluded or browser-based communication is involved.
8. Troubleshooting Speed and App Conflicts
Split tunneling is often enabled because something is slow or broken. Here is how to diagnose the most common problems.
Problem: A website blocks your VPN
Some services block VPN users or trigger captchas because many users share the same VPN IP address. TechRadar notes that it is impossible for VPN providers to unblock everything.
Try this:
- Website rule: Exclude only that domain if your VPN supports URL/domain rules.
- App rule: If domain rules are unavailable, exclude the relevant app.
- Avoid full disconnect: Keep the VPN active for other traffic where possible.
Problem: Your banking app will not log in
Banking apps may reject VPN IP addresses or unexpected locations.
Try this:
- Exclude the banking app: Let it use your direct connection.
- Keep other apps protected: Do not disable the whole VPN unnecessarily.
- Remove the rule afterward: If it was only needed once, turn it off.
Problem: Gaming or video calls feel slow
VPN routing can add latency because traffic passes through an extra server and encryption process. TechRadar specifically notes this can affect gaming.
Try this:
- Exclude the game: Route gaming traffic directly.
- Keep chat or browser in VPN: Only exclude the latency-sensitive app.
- Check whether the VPN server distance matters: The source data explains that sending data to a server in another location can contribute to performance issues.
Problem: Local printers or file servers disappear
A full VPN tunnel can interfere with LAN access. Fortinet says VPN encryption may block access to LAN resources, while split tunneling can preserve access to local printers.
Try this:
- Exclude local network tools: Allow printer, NAS, or file-sharing traffic outside the VPN.
- Use LAN-specific rules if available: Some setups may support IP-range rules.
- Do not exclude unrelated apps: Keep the rule narrow.
Problem: Work VPN conflicts with personal VPN
The WhatIsMyLocation guide recommends excluding a work intranet or corporate VPN client to avoid double-VPN conflicts.
Try this:
- Ask IT first: Corporate policy may prohibit split tunneling.
- Exclude the corporate VPN client only if allowed.
- Avoid routing work traffic outside required controls.
Problem: You are not sure whether split tunneling is working
Try this verification sequence:
- Check your IP in a tunneled browser: It should show the VPN IP.
- Check your IP in an excluded app/browser: It should show your real IP.
- Run a DNS leak test: Confirm DNS behavior matches your privacy expectations.
- Run a WebRTC leak test: Especially if browser traffic is involved.
- Review the app list: Remove old exclusions you no longer need.
9. Split Tunneling Checklist for Safer Use
Use this checklist before enabling split tunneling.
- Purpose: Define exactly why you need split tunneling — speed, banking access, local printer access, streaming access, or work compatibility.
- Minimum scope: Exclude the fewest apps or sites possible.
- Sensitive data: Keep browsers, email, messaging, and sensitive work tools inside the VPN unless there is a specific reason not to.
- Banking exception: Exclude banking apps only if they block VPN traffic or require your real location.
- Public Wi-Fi caution: Avoid direct connections for sensitive apps on unsecured networks.
- Corporate policy: Do not use split tunneling on managed work devices unless allowed.
- Kill switch: Enable a VPN kill switch where available.
- DNS testing: Run a DNS leak test after configuration.
- WebRTC testing: Run a WebRTC leak test if browser traffic is involved.
- Regular review: Remove temporary exclusions after use.
- Device support: Confirm your VPN supports split tunneling on your operating system.
- Terminology check: Look for names like split tunneling, route list, app split tunneling, or Bypasser.
Safer default: Route everything through the VPN, then create narrow exceptions only for apps or sites that genuinely need direct access.
Bottom Line
VPN split tunneling explained simply: it lets some traffic use your encrypted VPN tunnel while other traffic uses your normal internet connection. It is useful for banking apps, local printers, gaming, streaming conflicts, travel, and conserving VPN bandwidth.
The trade-off is that excluded traffic no longer benefits from VPN encryption, IP masking, or VPN-level protections. It may reveal your real IP address, create DNS or WebRTC leak risks, and bypass corporate security controls.
For most users, the safest approach is to keep the VPN on by default, enable a kill switch, exclude only the apps or sites that truly need direct access, and test the setup afterward.
FAQ
What is VPN split tunneling?
VPN split tunneling is a feature that routes some application, website, or device traffic through an encrypted VPN while allowing other traffic to access the internet directly. The VPN-routed traffic shows the VPN server’s IP address, while direct traffic shows your real IP address.
Does split tunneling make my VPN faster?
It can improve performance for traffic that bypasses the VPN because that traffic avoids VPN encryption and routing through an extra server. Fortinet notes that VPN encryption and server routing can create bandwidth and performance issues, while split tunneling can reduce VPN load.
Is split tunneling safe?
Split tunneling can be safe when used narrowly and intentionally, but it reduces protection for excluded traffic. Apps outside the VPN may reveal your real IP address, bypass VPN security features, and become more exposed on unsecured networks such as public Wi-Fi.
Should I use split tunneling for banking apps?
You may use it if your banking app blocks VPN connections or flags VPN IP addresses. In that case, split tunneling lets the banking app use your real location while keeping other apps connected through the VPN.
What is inverse split tunneling?
Inverse split tunneling means only selected apps or websites use the VPN, while everything else connects directly. Security.org describes it as useful when you only need to secure specific activities, such as work applications or financial transactions.
Should I use a kill switch with split tunneling?
Yes, where available. A kill switch blocks traffic if the VPN drops unexpectedly, while split tunneling intentionally routes selected traffic outside the VPN. The two features solve different problems and can be used together.
