SMIP
All articles
vpnprivacynetworking

What is VPN split tunneling and when should you use it?

By default a VPN routes all your traffic through the tunnel. Split tunneling lets you choose which traffic goes through the VPN and which goes direct. Here's when that's useful, when it's risky, and how to set it up.

May 6, 20265 min read

A standard VPN is "all in" — every byte your device sends or receives goes through the encrypted tunnel. That's usually what you want. Sometimes it isn't: maybe your work VPN should only carry corporate traffic, your privacy VPN should only carry browser traffic, or your local printer needs to keep working while the tunnel is up.

That's what split tunneling is for. Here's the practical guide.

The two-line summary

Split tunneling lets you choose which traffic goes through your VPN and which goes direct over your normal internet connection. Useful when you want some apps protected and others fast, or when full-tunnel breaks something.

Done well, it's a quality-of-life win. Done sloppily, it's a privacy leak waiting to happen.

How split tunneling works

A normal VPN modifies your operating system's routing table so all traffic destined for the public internet (0.0.0.0/0 and ::/0) goes through the VPN's virtual network adapter. See our how a VPN works post for the full mechanics.

Split tunneling adjusts the routing rules. Several approaches:

Per-app split tunneling

Specific applications go through the VPN; everything else doesn't. The VPN client maintains a list. When an app makes a network request, the client checks the list and routes accordingly.

This requires hooking the OS at a deep level — most desktop operating systems support it natively (with caveats), and quality VPN clients implement it on Windows, macOS, Linux, iOS, and Android.

Per-route split tunneling

Specific destinations (IPs, hostnames, ranges) go through the VPN; everything else doesn't. Or the inverse: everything goes through the VPN except a specific list of destinations.

Useful for "always tunnel work resources" or "always bypass tunnel for streaming services."

Inverse / exclude lists

Lists of apps or destinations that should bypass the VPN even though everything else uses it. The opposite of "include." Both directions are useful in different contexts.

LAN access

A common limited form of split tunneling: allow connections to private IP ranges (192.168.x.x, 10.x.x.x, etc.) to bypass the VPN so you can reach devices on your home network. Most VPN clients enable this by default.

Common use cases

Corporate VPN, private apps only

Your work VPN gives access to internal resources. You don't want personal browsing routed through your employer's network (privacy) or eating your home bandwidth via a slow corporate exit (speed).

Configure: only corporate.example.com and internal IPs go through the VPN. Everything else direct.

Privacy VPN, browser only

You use a privacy VPN to browse the web but want your video calls and games to use direct connections for low latency.

Configure: only the browser uses the VPN; other apps direct.

Streaming through a different region

You use the VPN for streaming a foreign service but don't want the VPN slowing everything else down.

Configure: only the streaming app uses the VPN.

Local network access

You're on a VPN but need to print on your home printer.

Configure: traffic to 192.168.0.0/16 bypasses the VPN. (Most VPN clients have a checkbox for this; "allow LAN access.")

Avoiding sites that block VPN IPs

Your bank or government site refuses VPN IPs. Bypass for that one site.

Configure: traffic to bank.example.com goes direct.

The risks

Split tunneling expands the attack surface in ways full-tunnel does not.

DNS leaks

If your VPN's DNS handling is "tunnel everything," but you split-tunnel an app, DNS queries from that app may still go through the tunnel — or they may not, depending on the implementation. Inconsistent behavior means you can leak DNS queries you didn't expect.

Solution: configure the VPN to handle DNS for tunneled apps but not for excluded ones. Quality clients do this correctly; cheap ones don't.

Half-protected app traffic

You set "browser uses VPN, everything else direct." Then an app downloads an update via a different process, exposes your real IP. Split tunneling at the app level is granular but error-prone — apps spawn helpers, use system services, talk to DNS through OS APIs.

Confused users

The whole point of a VPN is "I know my traffic is protected." Split tunneling adds nuance: "this is protected, that isn't." Easy to forget which is which. Easy to be wrong about an app's behavior.

Admin policy bypass

In corporate settings, split tunneling is sometimes used to bypass corporate logging or filtering. From IT's perspective this is a security risk — they want to see all traffic. From the user's perspective it's privacy. The political tension is real and depends on policy.

How to enable it

Major VPN providers

Most quality consumer VPNs (Mullvad, Proton, NordVPN, ExpressVPN, IVPN, Surfshark) include split tunneling. Look in:

  • App settings → Connection → Split Tunneling.
  • Choose include/exclude mode.
  • Add apps or domains.

The exact UI varies. Mullvad calls it "Split tunneling," Proton calls it "Split Tunneling," NordVPN calls it "Split Tunneling" — they've converged on the name even if the implementations differ.

iOS and Android

Mobile platforms restrict what VPN apps can do. iOS supports per-app VPN through configuration profiles (mostly enterprise-only consumer apps can use it). Android supports per-app via VPN client settings.

Manual on Linux/macOS

For users running WireGuard or OpenVPN directly, split tunneling is configured by:

  • Adding AllowedIPs rules in WireGuard config (only specific IP ranges go through the tunnel).
  • Modifying iptables/nftables/pf rules to apply policy routing.

This is the granular approach for power users.

Best practices

  • Default to full tunnel unless you have a specific reason for split.
  • If split, document what's excluded — keep a mental (or actual) list.
  • Test with our DNS Leak Test and WebRTC Leak Test after configuring split tunneling. Verify the tunneled apps appear via the VPN exit, and the excluded ones appear via your real IP.
  • Don't split-tunnel a privacy VPN. If the goal is privacy from your ISP, splitting defeats the goal — anything excluded is visible to your ISP.
  • Do split-tunnel a work VPN that's slow or geographically inconvenient — keeps personal traffic fast.

Quick FAQ

Does split tunneling save bandwidth? Indirectly — less traffic through the VPN means less encryption overhead and less bandwidth measured at the VPN exit. For most users, the savings are negligible.

Can I split-tunnel by hostname? Some VPN clients support this; it requires DNS interception. Implementation varies in quality. Per-IP routing is more reliable.

Will split tunneling leak my real IP? For excluded apps and destinations: yes, by design. That's what "excluded" means. The IP they see is your real one.

Can streaming services tell I'm split-tunneling? Indirectly — your IP appears as the VPN's, but if you've logged into the service from your home IP previously, the account's history may flag the inconsistency.

Is split tunneling supported on routers? Some routers running OpenWRT, AsusWRT-Merlin, or pfSense support policy-based routing that's effectively split tunneling at the network level — different devices use different exits. Powerful and complex; not for casual users.

TL;DR

  • Split tunneling = choose which traffic goes through your VPN and which goes direct.
  • Useful for mixing work + personal traffic, browser-only privacy, LAN access, and bypassing sites that block VPN IPs.
  • Risks: leaks, confusion, accidentally-unprotected app traffic.
  • Test with leak tests after configuring.
  • Default to full-tunnel unless you have a clear reason to split.

For most casual VPN users, full-tunnel is the right answer. For users with specific multi-context needs, split tunneling is the right tool — used carefully.