VPN Split Tunneling Explained: Route Traffic Selectively
Most people think of a VPN as an all-or-nothing switch โ either everything travels through the encrypted tunnel, or nothing does. Split tunneling breaks that assumption. It lets you send some traffic through your VPN while the rest goes directly over your regular internet connection, giving you fine-grained control over your privacy and performance.
Before reading on, check what your current IP address looks like to the outside world with our My IP Address tool. That baseline will help you verify split tunneling is working correctly once you set it up.
What Is VPN Split Tunneling?
Split tunneling is a VPN feature that divides your internet traffic into two streams:
- Tunneled traffic โ encrypted and routed through the VPN server. Websites and services see the VPN's IP address.
- Direct traffic โ sent over your normal ISP connection without encryption. Websites see your real IP address.
You define the rules. Most VPN apps let you specify which applications, websites, or IP ranges use the tunnel and which bypass it entirely.
How Split Tunneling Works Technically
When your device connects to a VPN, the VPN client installs a virtual network adapter and rewrites your routing table to push all traffic through that adapter. With split tunneling enabled, the client installs more specific routes that override only a subset of traffic:
- App-based rules intercept packets at the process level before they reach the network stack.
- URL/domain-based rules use local DNS overrides to route certain hostnames to the VPN.
- IP-range rules insert specific CIDR blocks into the routing table pointing at the VPN interface.
Traffic not matched by any rule follows the default route โ your ISP's gateway โ completely bypassing the VPN.
The Three Types of Split Tunneling
| Type | How You Define Rules | Best For |
|---|---|---|
| App-based | Select specific apps (e.g., Chrome, Slack) | Protecting only certain applications |
| URL/Domain-based | Enter hostnames or domains | Bypassing geo-blocks for specific sites |
| Inverse split tunneling | Exclude specific apps from VPN | Routing almost everything through VPN, with exceptions |
Inverse split tunneling is particularly useful: instead of listing every app that should use the VPN, you list only the ones that should not โ your local printer, banking app, or work intranet โ and everything else automatically gets VPN protection.
Why Would You Use Split Tunneling?
1. Maintain Access to Local Network Resources
Corporate intranets, NAS devices, and printers typically require a local IP connection. If all your traffic goes through a VPN server in another country, your router can't see your device on the local subnet. Split tunneling exempts those connections so you can print and access local shares without disconnecting the VPN.
2. Avoid Bandwidth Throttling on High-Speed Tasks
Streaming 4K video, running software updates, and gaming all benefit from your full ISP bandwidth. Routing these through an extra server adds latency and can cut speeds in half. By excluding your streaming app from the VPN, you enjoy local speeds for entertainment while still protecting sensitive browsing.
3. Stop Breaking Bank and Government Websites
Many financial institutions flag logins from foreign IP addresses and lock accounts. Split tunneling lets you route your banking app directly so that your bank sees your real location โ exactly what they expect.
4. Reduce VPN Server Load
Every tunneled byte passes through your VPN provider's infrastructure. Excluding low-risk traffic like OS update servers reduces the load on shared VPN servers, often resulting in faster speeds for the traffic you do protect.
When Split Tunneling Creates Risk
Split tunneling is not universally safe. Understand the trade-offs before enabling it:
- DNS leaks become more likely. If your split tunnel routes DNS queries outside the VPN, your ISP can see what domains you're looking up even though the page content goes through the tunnel. Always verify with our DNS Leak Test.
- WebRTC can expose your real IP. Browsers communicating directly (outside the tunnel) may reveal your actual IP via WebRTC. Run a WebRTC Leak Test to confirm.
- Malware can exploit unprotected paths. Any app running outside the tunnel operates without VPN encryption, making it vulnerable to interception on public Wi-Fi.
- Corporate policies may prohibit it. Many IT security policies require full tunnel VPNs so the company can monitor traffic and enforce security policies. Using split tunneling on a managed device may violate your employer's acceptable-use policy.
How to Enable Split Tunneling (NordVPN Example)
- Open the NordVPN app and go to Settings โ Split Tunneling.
- Toggle Enable Split Tunneling on.
- Choose Split Tunnel Mode: Disable VPN for selected apps (standard) or Enable VPN only for selected apps (inverse).
- Click Add Apps and select the applications you want to route outside (or inside) the tunnel.
- Connect to a VPN server.
- Verify your setup: open a browser inside the tunnel and check your IP with our My IP tool. Open the excluded app and confirm it shows your real IP.
Most major VPN providers โ including NordVPN, ExpressVPN, and Mullvad โ support split tunneling on Windows and Android. iOS has OS-level restrictions that make true per-app split tunneling difficult; many iOS VPN apps offer only domain-based exclusions.
Split Tunneling vs. Kill Switch: Use Both
A VPN kill switch blocks all internet access if the VPN drops unexpectedly โ protecting you from accidental IP exposure. Split tunneling and kill switches work differently:
| Feature | Purpose | When It Fires |
|---|---|---|
| Split tunnel | Route specific traffic outside VPN intentionally | Always, by design |
| Kill switch | Block all traffic if VPN connection drops | Only on unplanned disconnection |
You should almost always use a kill switch alongside split tunneling. The kill switch protects your tunneled traffic from accidental exposure; the split tunnel lets intentionally excluded traffic flow freely regardless.
Recommended Split Tunneling Setup for Most Users
Here is a practical baseline configuration for privacy-conscious users:
Exclude from VPN (send directly):
- Local banking and government apps
- Work intranet / corporate VPN client (avoid double-VPN conflicts)
- Smart home device control apps
- OS update services (Windows Update, Apple Software Update)
Keep in VPN (tunnel everything else):
- Browsers (primary and secondary)
- Email clients
- Messaging apps (Signal, Telegram, WhatsApp)
- Torrent clients
Start there, then adjust based on which apps you actually trust with your real IP.
Related Articles
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.