Split tunneling lets you choose which apps use the VPN and which connect directly. Use it for banking apps that block VPNs, local network access, or to improve performance-but understand the security trade-offs.
What Is Split Tunneling?
Split tunneling is a VPN feature that lets you divide your internet traffic into two paths:
- Through the VPN: Encrypted and routed through the VPN server
- Direct connection: Bypasses the VPN and uses your regular internet
Without split tunneling, all your traffic goes through the VPN. With it, you can selectively choose what gets protected.
Full Tunnel (Default)
- All traffic through VPN
- Maximum privacy
- All apps protected
- May be slower
Split Tunnel
- Selected traffic through VPN
- Flexible control
- Better performance
- Some traffic exposed
How Split Tunneling Works
When you enable split tunneling, the VPN client modifies your device's routing table:
- VPN creates a virtual interface for encrypted traffic
- Routing rules determine which traffic uses which interface
- Excluded apps/IPs use your regular network interface
- Included apps/IPs route through the VPN tunnel
Technical Detail
Split tunneling works by manipulating routing tables and firewall rules. On Windows, this often involves the TAP adapter. On mobile, it uses per-app VPN APIs. The VPN client intercepts traffic and decides the routing based on your configuration.
Types of Split Tunneling
App-Based Split Tunneling
Choose specific applications to include or exclude from the VPN:
- Include mode: Only selected apps use VPN (everything else bypasses)
- Exclude mode: All apps use VPN except selected ones
URL/Domain-Based Split Tunneling
Route traffic based on destination websites:
- Exclude specific domains (e.g., your bank's website)
- Include only certain domains through VPN
IP-Based Split Tunneling
Route based on destination IP addresses or ranges:
- Exclude local network (192.168.x.x) for printer access
- Include only specific IP ranges through VPN
Inverse Split Tunneling
The opposite approach-only selected traffic uses VPN, everything else is direct. Useful when you only need to protect specific activities.
When to Use Split Tunneling
Banking Apps
Many banks block VPN connections for fraud prevention. Exclude banking apps to avoid lockouts.
Local Network Access
Access printers, NAS drives, smart home devices on your local network while VPN is active.
Work Applications
Some corporate apps require direct connection or have their own VPN. Exclude them from your personal VPN.
Bandwidth-Heavy Apps
Video calls, gaming, or large downloads can bypass VPN for better speed when privacy isn't critical.
Location-Based Services
Food delivery, ride-sharing, or maps apps that need your real location.
Streaming Services
Access local content library while protecting other browsing through VPN.
Security Considerations
Risks of Split Tunneling
- IP exposure: Excluded apps reveal your real IP address
- Unencrypted traffic: Data outside VPN can be intercepted on public Wi-Fi
- DNS leaks: Some configurations may leak DNS queries
- Correlation attacks: Simultaneous VPN and direct traffic could be correlated
Best Practices
- Only exclude apps you trust completely
- Never exclude browsers if you're concerned about privacy
- Don't use split tunneling on untrusted networks (public Wi-Fi)
- Regularly review which apps are excluded
- Test for DNS leaks after configuring split tunneling
How to Set Up Split Tunneling
Windows
- Open your VPN app settings
- Find "Split Tunneling" or "Per-app VPN"
- Choose "Exclude" or "Include" mode
- Select apps from the list or browse for executables
- Save and reconnect to VPN
macOS
- Open VPN app preferences
- Navigate to split tunneling settings
- Add applications to include/exclude list
- Some apps may require allowing Network Extension permissions
Android
- Open VPN app → Settings
- Find "Split Tunneling" or "Per-app VPN"
- Toggle apps on/off for VPN protection
- Android's native VPN settings also support per-app configuration
iOS
iOS has limited split tunneling support due to Apple restrictions. Some VPN apps offer URL-based exclusions, but full app-based split tunneling is not available on iOS.
Performance Tips
Use split tunneling strategically to optimize performance:
- Exclude video conferencing: Zoom, Teams, Meet for lower latency
- Exclude gaming: Reduce ping by bypassing VPN for games
- Exclude large downloads: OS updates, game patches can bypass VPN
- Include only sensitive apps: Use inverse split tunneling for minimal VPN load
Frequently Asked Questions
Split tunneling is safe when configured correctly, but it does create potential security gaps. Traffic outside the VPN is not encrypted and exposes your real IP. Only exclude apps you trust and that don't handle sensitive data. Avoid using split tunneling on public Wi-Fi.
Split tunneling works best on Windows and Android. macOS support varies by VPN provider. iOS has very limited split tunneling due to Apple restrictions-most iOS VPN apps can only do URL-based exclusions, not full app-based split tunneling.
Yes, any traffic that bypasses the VPN through split tunneling is visible to your ISP just like normal internet traffic. They can see which websites you visit and the amount of data transferred for excluded apps.
Generally, you shouldn't exclude browsers if privacy is important. However, some users exclude browsers to access local content while protecting other apps, or when certain websites block VPN traffic. A better approach is URL-based exclusions for specific sites rather than excluding the entire browser.
Need a VPN with Split Tunneling?
Find a VPN that offers flexible split tunneling options.
Find My VPN