A good VPN split tunneling guide should help you do two things at once: keep sensitive traffic protected while avoiding unnecessary VPN slowdown for low-risk apps or local services. Split tunneling is useful, but it is not a “set it and forget it” privacy feature—misconfigured rules can expose your real IP address, DNS requests, or corporate traffic.
Below is a practical tutorial on what VPN split tunneling is, how it works, when to use it, when to avoid it, and how to configure it safely using only the capabilities documented in the source research.
What Is VPN Split Tunneling?
VPN split tunneling is a VPN feature that lets you divide your internet traffic into separate paths instead of sending everything through the encrypted VPN tunnel.
In a normal VPN connection, your device routes internet traffic through a VPN server. That server encrypts your traffic and websites see the VPN server’s IP address rather than your real IP address. With split tunneling, some traffic still uses that encrypted VPN route, while other traffic goes directly through your regular internet connection.
| Traffic Type | Route | Encryption | IP Address Websites See |
|---|---|---|---|
| Tunneled traffic | Through the VPN server | Encrypted by the VPN | VPN server IP address |
| Direct traffic | Through your normal ISP connection | Not protected by the VPN tunnel | Your real IP address |
This is why split tunneling is often described as a way to balance privacy, performance, and compatibility.
For example, you might route your browser and email client through the VPN, while letting a local banking app, printer connection, or streaming app bypass the VPN. Sources describe split tunneling as configurable by app, website/domain, or IP range, depending on the VPN client and operating system.
Key idea: Split tunneling does not make all traffic safer. It gives you control over which traffic receives VPN protection and which traffic bypasses it.
Split tunneling vs. full tunnel VPN
A “full tunnel” is simply the regular VPN mode where all traffic goes through the VPN. The source data notes that “full tunnel” is not always formal VPN terminology, but it is commonly used to mean no split tunneling is enabled.
| Mode | What Happens | Best For |
|---|---|---|
| Full tunnel VPN | All traffic goes through the encrypted VPN tunnel | Maximum VPN coverage, public Wi-Fi, corporate security policies |
| Split tunneling | Some traffic uses the VPN; some bypasses it | Performance, local network access, app compatibility |
| Inverse split tunneling | Everything uses the VPN except specific excluded apps or sites | Safer default for most privacy-conscious users |
For most users, inverse split tunneling is the safer approach because the VPN protects everything by default, and you only exclude apps or websites that truly need direct access.
How Split Tunneling Works
When you connect to a VPN, your device normally creates a connection to a VPN server first. The VPN server then connects onward to the website or service you want to use. Because your traffic is encrypted and routed through an intermediary server, this can reduce speed compared with your direct ISP connection.
Split tunneling changes that routing behavior.
According to the source research, when a VPN connects, the VPN client may install a virtual network adapter and adjust your device’s routing table so traffic goes through that adapter. With split tunneling enabled, the VPN client creates more specific routing rules so only selected traffic uses the VPN.
Common split tunneling rule types
| Split Tunneling Type | How Rules Are Defined | Example Use |
|---|---|---|
| App-based split tunneling | Choose specific apps to include or exclude | Route a browser through the VPN, exclude a banking app |
| URL/domain-based split tunneling | Choose websites or domains | Send one streaming site through VPN, keep other browsing direct |
| IP-range split tunneling | Route specific IP ranges or CIDR blocks | Send internal company ranges or local subnets through a chosen route |
| Inverse split tunneling | VPN protects everything except selected exceptions | Exclude local printer or OS updates while protecting the rest |
App-based routing
With app-based rules, the VPN decides what to do based on the application generating the traffic.
For example, source data notes that ExpressVPN supports app-based split tunneling. Users can open the Options window and find split tunneling under the General tab, then choose apps to exclude from the VPN tunnel.
NordVPN also supports app-based split tunneling through its app. Source data also notes that website-based split tunneling for NordVPN is available through its browser extension rather than the main app.
URL or domain-based routing
Domain-based rules apply to hostnames or websites. This can be useful if one specific website breaks when accessed through a VPN but you still want the rest of your browser traffic protected.
Source data gives examples of VPNs that support app and/or URL-based rules:
| VPN Product | Split Tunneling Capabilities Mentioned in Source Data |
|---|---|
| Surfshark | “Bypasser” can include or exclude apps or websites from the VPN tunnel |
| NordVPN | App split tunneling in the app; website exclusions through browser extensions for Chrome, Firefox, and Edge |
| ExpressVPN | App-based split tunneling; source notes lack of website-based split tunneling as a downside |
| Proton VPN | Can include or exclude both apps and URLs |
| Mullvad | App-specific split tunneling available, but not for Apple devices |
| CyberGhost VPN | Windows and macOS users can prevent selected URLs from using the VPN tunnel; Android split tunneling applies to apps |
| IPVanish | Mentioned as a solid choice for Android and Fire OS device users |
Router-level split tunneling
Split tunneling can also be configured at the router level, but this is more technical and depends heavily on router firmware and network layout.
The source data includes an example using Tomato firmware-style routing rules:
sleep 30
ip route flush table 200
ip route flush cache
ip rule add from 192.168.1.11 lookup 200
ip rule add from 192.168.1.211 lookup 200
VPN_GW=`ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
ip route add table 200 default via $VPN_GW dev tun11
In that example, the goal was to route devices with IP addresses 192.168.1.11 and 192.168.1.211 through the VPN. The reported problem was that other devices on the network could not browse the internet because they did not have an appropriate routing rule.
Router warning: Router-level split tunneling can affect every device on the network. If routes are incomplete, devices outside the intended rule set may lose internet access or bypass protection unexpectedly.
Benefits of Using Split Tunneling
A well-configured split tunnel can improve everyday VPN usability without turning off VPN protection completely. The benefits come from choosing which traffic needs encryption and which traffic can safely use the normal connection.
1. Better performance for high-bandwidth tasks
VPNs can reduce speed because traffic is encrypted, decrypted, and routed through a VPN server. Security.org’s source data states that when testing VPN speeds, anything below a 40% reduction in speed is considered pretty good, and that many VPNs do not meet that benchmark.
Split tunneling can help by allowing bandwidth-heavy but lower-risk traffic to bypass the VPN.
Common examples from the source data include:
- Streaming: Exclude Netflix or another streaming app when you want local content and full local speeds.
- Gaming: Route games directly to reduce VPN-related latency.
- Software updates: Let OS update services use the direct connection.
- Video calls: Avoid routing low-risk calls through an extra VPN server if privacy needs are lower.
2. Access to local network devices
VPNs can interfere with access to local resources because all traffic may be sent to a remote VPN server instead of the local subnet.
Split tunneling can help you keep access to:
- Printers
- NAS devices
- Smart home devices
- Local file shares
- Workgroup devices
- Corporate intranet resources, depending on policy and configuration
This is one of the clearest use cases. You can keep sensitive internet traffic encrypted while still connecting to devices on your local network.
3. Fewer problems with banking and government sites
Some banking and government websites may flag or block logins from VPN IP addresses, especially if the VPN server appears to be in another region.
Split tunneling lets those apps or sites bypass the VPN so they see your expected real location.
That can be useful for:
- Online banking apps
- Government portals
- Tax or identity services
- Financial institutions that block VPN IP addresses
The trade-off is that those excluded services will see your real IP address.
4. Better multitasking
Split tunneling helps when you want to do secure and non-sensitive activities at the same time.
For example, source data describes a scenario where sensitive work information is uploaded through an encrypted tunnel while streaming traffic bypasses the VPN to preserve bandwidth. This avoids disconnecting from the VPN entirely just to improve performance for one activity.
5. Reduced VPN server load
Every byte routed through the VPN uses the provider’s infrastructure. Source data notes that excluding low-risk traffic, such as OS update services, can reduce VPN server load and may improve performance for the traffic you do protect.
Security and Privacy Risks to Understand
Split tunneling is useful, but it is also easy to misunderstand. The main risk is simple: anything outside the VPN tunnel is not protected by the VPN.
That means excluded apps, websites, or IP ranges may expose your real IP address, DNS requests, or browsing patterns.
Critical warning: Split tunneling intentionally creates an unencrypted path. If you exclude the wrong app, sensitive traffic may leave through your normal ISP connection.
Risk 1: Your real IP address can be exposed
Traffic that bypasses the VPN does not use the VPN server’s IP address. Websites and services on that direct route can see your real IP address.
This may be acceptable for a local banking app or printer, but it is risky for:
- Torrent clients
- Sensitive browsing
- Private messaging
- Work systems
- Public Wi-Fi sessions
Risk 2: DNS leaks become more likely
Source data specifically warns that DNS leaks can become more likely with split tunneling. If DNS queries are routed outside the VPN, your ISP may see which domains you look up even if page content is routed through the VPN.
This is why testing matters after setup.
Risk 3: WebRTC can reveal your real IP
Browsers may expose IP address information through WebRTC. Source data recommends using a WebRTC leak test to confirm whether your browser is revealing your real IP address.
This is especially important if you use browser-based split tunneling or exclude a browser from the VPN.
Risk 4: Malware can exploit unprotected paths
Any app outside the VPN tunnel operates without VPN encryption. On public Wi-Fi, that can increase exposure to interception or unsafe network conditions.
A VPN does not replace anti-malware protection, but split tunneling can reduce the scope of VPN protection if malware communicates through an excluded app or route.
Risk 5: Corporate policy violations
Many corporate environments require full-tunnel VPNs so security teams can monitor traffic and enforce policy. Source data warns that using split tunneling on a managed device may violate an employer’s acceptable-use policy.
If you are using a work laptop or corporate VPN, do not enable split tunneling unless your IT policy allows it.
Split tunneling risk summary
| Risk | What Can Happen | Safer Practice |
|---|---|---|
| Real IP exposure | Excluded apps reveal your actual IP | Exclude only low-risk apps |
| DNS leaks | ISP may see domain lookups | Run a DNS leak test after setup |
| WebRTC leaks | Browser may expose real IP | Run a WebRTC leak test |
| Corporate policy conflict | Managed device may violate IT rules | Follow employer VPN requirements |
| Public Wi-Fi exposure | Direct traffic lacks VPN encryption | Use full tunnel on untrusted networks |
Best Use Cases for Split Tunneling
The best split tunneling setup depends on your goal. The safest general approach is to keep most traffic inside the VPN and exclude only what needs to bypass it.
1. Accessing local printers, NAS devices, and smart home apps
If your VPN blocks access to local devices, split tunneling can restore access without turning the VPN off.
Good candidates for exclusion include:
- Printer utilities
- NAS management apps
- Smart home control apps
- Local network discovery tools
This works because those services often require local IP connectivity.
2. Banking apps that reject VPN connections
If your bank blocks VPN IP addresses or flags foreign logins, exclude the banking app or website. This lets the bank see your real location.
However, do this only on trusted networks. On public Wi-Fi, it may be safer to avoid banking entirely or use a full VPN tunnel if the bank allows it.
3. Streaming local content while protecting other apps
Streaming services use IP addresses to determine location. Source data notes that split tunneling can let streaming apps bypass the VPN to maintain access to local libraries, or use the VPN to access a different region where permitted by the service.
Use this carefully because streaming platforms may have their own terms and detection systems.
4. Work and personal traffic separation
Some users need a work app protected while casual browsing stays direct, or the reverse. Source data gives an example of routing a work application through the VPN while social media and news tabs use the normal connection.
For remote workers, the right setup depends on company policy.
5. Torrenting with selected VPN protection
Source data lists torrent clients among apps some users may keep inside the VPN. If torrent traffic is sensitive, do not exclude the torrent client. Instead, configure rules so the torrent client always uses the VPN tunnel.
Practical baseline configuration
The source data provides a useful privacy-conscious baseline:
| Send Directly / Exclude from VPN | Keep in VPN |
|---|---|
| Local banking and government apps | Browsers |
| Work intranet or corporate VPN client, when needed to avoid conflicts | Email clients |
| Smart home device control apps | Messaging apps such as Signal, Telegram, and WhatsApp |
| OS update services | Torrent clients |
This is not a universal rule, but it is a sensible starting point for many users.
When You Should Avoid Split Tunneling
Split tunneling is not appropriate in every situation. In some cases, a full VPN tunnel is safer and simpler.
Avoid it on public Wi-Fi if you cannot verify the rules
Public Wi-Fi is one of the strongest cases for full VPN protection. If split tunneling sends some apps directly over the local network, those apps are no longer protected by the VPN tunnel.
Use full tunnel mode when:
- You are in airports, hotels, cafés, or shared networks
- You are handling sensitive accounts
- You are unsure which apps are excluded
- You have not tested for DNS or WebRTC leaks
Avoid it for high-risk or sensitive traffic
Do not exclude apps that handle sensitive data unless there is a strong reason.
Keep these inside the VPN when privacy matters:
- Primary browsers
- Email clients
- Messaging apps
- Torrent clients
- Remote work tools
- Cloud storage apps
- File transfer tools
Avoid it on managed corporate devices unless approved
Corporate VPN policies may require full tunneling. Source data notes that split tunneling can conflict with corporate monitoring and security enforcement.
If your organization requires full tunnel VPN use, do not work around that rule.
Avoid “VPN only for one app” unless you understand the risk
Some VPNs offer a mode where only selected apps use the VPN, and everything else goes direct. This can be useful for specific tasks, but it is riskier as a default because anything you forget to include is unprotected.
For most privacy-focused users, inverse split tunneling—VPN for everything except defined exceptions—is safer.
How to Set Up Split Tunneling Safely
This section of the VPN split tunneling guide focuses on safe setup principles rather than one universal interface, because VPN apps use different names and menus.
Some providers call the feature by different labels. Source data notes that Surfshark calls it Bypasser, NordVPN refers to app split tunneling, and ExpressVPN uses route-related terminology in some contexts.
Step 1: Decide your default posture
Start by choosing the safer model.
| Setup Model | How It Works | Recommended For |
|---|---|---|
| Inverse split tunneling | Everything uses VPN except selected exclusions | Most privacy-conscious users |
| App-only VPN mode | Only selected apps use VPN | Narrow use cases, advanced users |
| Domain-based exclusions | Specific websites bypass or use VPN | Fixing site compatibility issues |
| Router-level rules | Devices or IP ranges follow different routes | Advanced home networks |
If your VPN supports inverse split tunneling, use that as your default unless you have a specific reason not to.
Step 2: Make a short exception list
Do not exclude apps casually. Start with only the apps or services that need direct access.
Good initial exclusions may include:
- Local printer or NAS tools: Needed for LAN access.
- Banking app: If the bank blocks VPN IP addresses.
- Smart home app: If it cannot find local devices through the VPN.
- OS update services: If you want to reduce VPN load for low-risk background downloads.
Avoid excluding:
- Browsers, unless you understand the privacy impact.
- Email clients, because they often handle sensitive content.
- Messaging apps, because they may reveal metadata outside the VPN.
- Torrent clients, unless you intentionally want them outside the VPN.
Step 3: Enable the VPN kill switch
A VPN kill switch blocks internet access if the VPN drops unexpectedly. Source data recommends using a kill switch alongside split tunneling because the tools solve different problems.
| Feature | Purpose | When It Applies |
|---|---|---|
| Split tunnel | Intentionally routes selected traffic outside VPN | Always, based on your rules |
| Kill switch | Blocks traffic if VPN connection drops | Only during unexpected VPN disconnection |
A kill switch does not make excluded traffic private. It protects traffic that is supposed to be tunneled if the VPN fails.
Step 4: Configure app or website rules
Exact steps vary by provider, but the source data gives a NordVPN example:
- Open the NordVPN app
- Go to Settings → Split Tunneling
- Toggle split tunneling on
- Choose the split tunnel mode
- Add apps to include or exclude
- Connect to a VPN server
- Verify the setup by checking IP behavior in tunneled and excluded apps
For other VPNs, look for settings under menus such as:
- Advanced
- Connection
- Bypasser
- Split tunneling
- Route list
- App split tunneling
Step 5: Test your IP address
Before enabling split tunneling, check your normal IP address. Then connect to the VPN and test again.
A correct setup should show:
- VPN-protected browser/app: VPN server IP address
- Excluded browser/app: Real ISP IP address
Source data recommends using an IP checking tool to confirm that split tunneling is working correctly.
Step 6: Test DNS and WebRTC leaks
After confirming IP behavior, run leak tests.
Check for:
- DNS leaks: Are DNS queries going outside the VPN unexpectedly?
- WebRTC leaks: Is your browser exposing your real IP address?
- Wrong app routing: Is a sensitive app bypassing the VPN?
If results are unclear, disable split tunneling and return to full tunnel mode until you can verify the setup.
Step 7: Re-test after app, VPN, or OS updates
Split tunneling behavior can change after updates. Re-test after:
- VPN app updates
- Operating system updates
- Browser updates
- New VPN protocol selection
- New network environment
- Router configuration changes
Troubleshooting Common Split Tunneling Issues
Split tunneling problems usually come down to routing rules, DNS behavior, app compatibility, or operating system limits.
Problem: The wrong IP address appears
If an app that should be protected shows your real IP address, your split tunneling rules may be reversed.
Check whether your VPN is using:
- Exclude selected apps from VPN
- Enable VPN only for selected apps
- Bypass selected apps
- Route selected apps through VPN
These options sound similar but behave very differently.
Problem: A website still sees the VPN IP
If a website should bypass the VPN but still sees the VPN IP, the rule may not apply to that browser or domain.
Possible causes:
- Browser extension limits: Rules may affect only browser traffic, not the full device.
- Domain mismatch: The site may use multiple domains or subdomains.
- App vs. website mismatch: The VPN may support only app rules, not URL rules.
- DNS caching: Restarting the browser or reconnecting the VPN may help.
Problem: Local printer or NAS is unreachable
If local devices disappear while the VPN is active, your VPN may be routing local subnet traffic through the VPN.
Try excluding:
- Printer utility
- NAS management app
- Smart home control app
- Local IP range, if your VPN supports IP-range rules
If your VPN app does not support IP-range rules, you may need to use app-based exclusions or consult the provider’s support documentation.
Problem: Banking app blocks login
Some banking apps block VPN IP addresses or logins from unexpected regions. Exclude the banking app or banking website so it uses your normal connection.
Only do this on a trusted network, because that traffic will not be protected by the VPN tunnel.
Problem: DNS leak test fails
If DNS queries leak outside the VPN, check your VPN’s DNS and leak protection settings. Source data notes that VPN apps may include built-in leak protection, but behavior varies by product.
If you cannot stop the leak, use full tunnel mode for sensitive browsing.
Problem: Split tunneling is missing on iOS or Apple devices
Source data notes that iOS has operating system restrictions that make true per-app split tunneling difficult. Some iOS VPN apps may offer only domain-based exclusions. Security.org’s source data also notes that Apple’s ecosystem restricts the feature due to sandboxing requirements, and that macOS users may face similar restrictions, though some VPNs have workarounds.
In general, Windows and Android have broader split tunneling support according to the source data.
Problem: Router split tunneling breaks internet for other devices
Router-level rules can be fragile. The Tomato-style example in the source data routed two specific IP addresses through a VPN, but other devices could not browse because they had no routing rule.
If you configure router-level split tunneling:
- Back up the router configuration first
- Document every IP address rule
- Test one device at a time
- Confirm default routes for non-VPN devices
- Avoid applying scripts you do not understand
Bottom Line
VPN split tunneling is best used as a precision tool, not a shortcut around VPN protection. It lets you route sensitive apps through an encrypted tunnel while sending low-risk or compatibility-sensitive traffic directly through your normal internet connection.
For most users, the safest setup is inverse split tunneling: keep everything protected by the VPN, then exclude only specific apps such as local printers, smart home tools, banking apps that block VPNs, or OS updates. Avoid split tunneling for sensitive browsing, public Wi-Fi, unmanaged DNS behavior, and corporate devices where full-tunnel VPN use is required.
The most important step is verification. After setup, test your IP address, DNS behavior, and WebRTC exposure so you know which traffic is protected and which traffic is not.
FAQs About VPN Split Tunneling
1. Is VPN split tunneling safe?
Split tunneling can be safe if configured carefully, but traffic outside the VPN tunnel is not protected by VPN encryption. Source data emphasizes that problems often come from erroneous setups, such as excluding the wrong app or leaking DNS queries.
For safer use, keep sensitive apps inside the VPN and exclude only low-risk services that need direct access.
2. What is inverse split tunneling?
Inverse split tunneling means the VPN protects all traffic by default, except the apps or websites you specifically exclude. This is generally safer than selecting only a few apps to protect, because you are less likely to forget an important app.
It is useful when most of your traffic should stay private, but a few services—such as a local printer or banking app—need direct access.
3. Does split tunneling make my VPN faster?
Split tunneling can improve performance for excluded apps because those apps bypass the VPN server and encryption route. Sources explain that VPN tunneling can reduce speed because traffic must be encrypted, decrypted, and routed through an intermediary server.
However, split tunneling does not make VPN-protected traffic inherently faster; it reduces the amount of traffic that uses the VPN.
4. Should I use split tunneling with a kill switch?
Yes, source data recommends using a VPN kill switch alongside split tunneling. They do different jobs: split tunneling intentionally routes selected traffic outside the VPN, while a kill switch blocks traffic if the VPN connection drops unexpectedly.
A kill switch helps protect tunneled traffic from accidental exposure, but it does not encrypt traffic you intentionally excluded.
5. Why does my banking app work only when split tunneling is enabled?
Some banking apps block VPN IP addresses or flag logins from unexpected regions. Split tunneling lets the banking app bypass the VPN so the bank sees your real IP address and expected location.
The trade-off is that the banking app’s traffic is no longer protected by the VPN tunnel.
6. Which devices support split tunneling best?
According to the source data, Windows and Android generally offer the most comprehensive split tunneling support. iOS has operating system restrictions that make true per-app split tunneling difficult, and some iOS VPN apps may offer only domain-based exclusions.
Support varies by VPN provider, operating system, and whether you are using a full VPN app or only a browser extension.
