VPN Split Tunneling: When to Use It

App-based split tunneling lets you include or exclude specific applications. You might include only your browser and streaming app in the VPN, and exclude your banking app. Or you might exclude only the apps that do not work with VPN. The VPN app maintains a list of included or excluded applications and routes their traffic accordingly.

Some VPNs let you split by domain or IP range. You might route only traffic to work domains through the VPN, or exclude your local network subnet (e.g. 192.168.1.0/24) so local devices remain accessible. This is useful when you need fine-grained control — for example, routing only work traffic through a corporate VPN.

Standard split tunneling: only selected traffic goes through the VPN. Inverse split tunneling: only selected traffic bypasses the VPN; everything else goes through it. Inverse is useful when you want the VPN on for almost everything but need to exclude a few apps or sites.

A full-tunnel VPN routes all traffic through the VPN server, including traffic to devices on your local network. That can break access to your NAS, printer, smart TV, or smart home devices. Split tunneling lets you exclude local network traffic (e.g. 192.168.x.x, 10.x.x.x) so those devices remain accessible. Many VPN apps have a "LAN access" or "local network" option that does this automatically.

Some banking apps, work applications, or streaming services block or restrict VPN traffic. If you need to use such an app while keeping the VPN on for everything else, exclude that app from the VPN. Its traffic will use your normal connection. Use this only on trusted networks — never exclude sensitive apps on public WiFi.

If you use a corporate VPN for work and a personal VPN for everything else, you need split tunneling. Route only work apps through the corporate VPN; route personal browsing through the personal VPN. Without split tunneling, you would have to disconnect one VPN to use the other.

Some users exclude high-bandwidth or latency-sensitive apps (e.g. gaming, video calls to a local server) from the VPN to avoid the VPN overhead. This trades privacy for performance. Only do this on trusted networks and for apps where the performance gain justifies the privacy loss.

On public WiFi, all traffic should go through the VPN. Excluding apps means their traffic is visible to anyone on the network. Do not use split tunneling on public WiFi unless you have a specific, necessary exclusion — and even then, minimize what bypasses the VPN.

If you can use a full tunnel without issues, use it. Split tunneling is a workaround for specific problems. Do not use it "just in case" or for convenience. The default should be full tunnel.

Never exclude banking, email, or other sensitive apps from the VPN on untrusted networks. If an app does not work with VPN, consider whether you can use it only on trusted networks (e.g. home WiFi) when the VPN is disconnected, rather than permanently excluding it.

Under the hood, split tunneling modifies routing tables. Traffic destined for included IPs or from included apps is routed to the VPN interface; other traffic uses the default gateway. Misconfiguration can cause leaks — traffic that should go through the VPN might bypass it. Test your configuration after setting up split tunneling.

DNS queries can complicate split tunneling. If your VPN routes DNS through the tunnel but you exclude an app, that app's DNS may go through your ISP's DNS — potentially leaking which sites you visit. A good VPN app handles DNS consistently: either all DNS through the VPN, or the excluded app uses its own DNS path. Verify with a DNS leak test.

Look for "Split tunneling," "App exclusion," "Per-app VPN," or "Route only" in your VPN app settings. The option may be under "Advanced," "Network," or "Connection." On mobile, split tunneling is less common — Android has some support; iOS has limited support.

Some VPNs let you include only certain apps (everything else bypasses). Others let you exclude certain apps (everything else goes through). Choose based on your use case. If you want the VPN on for most things, use exclude mode and list only the apps that must bypass.

For local network access, look for "Allow LAN traffic," "Local network access," or "Exclude local network." This typically excludes 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12 — the standard private IP ranges. Enable this if you need to access NAS, printer, or smart home devices while the VPN is on.

For every app or site you exclude, you give up VPN encryption and IP masking. That traffic is as visible as if you were not using a VPN at all. Exclude only what is necessary, and only on trusted networks.

Excluded apps are potential attack vectors. If an excluded app is compromised or has a vulnerability, an attacker could use it to reach your network. Keep excluded apps to a minimum and ensure they are updated and trusted.

Split tunneling is acceptable when: you exclude only local network traffic (LAN access), you exclude a specific app that does not work with VPN and you use it only on trusted networks, or you are routing work traffic through a corporate VPN while personal traffic uses a personal VPN. In each case, understand what traffic is exposed and accept the trade-off.

Some apps use system proxies or other mechanisms that can route their traffic through the VPN even when excluded. If an excluded app still appears to use the VPN (e.g. its IP shows as VPN), try a different exclusion method or contact your VPN provider. On some platforms, app-based split tunneling does not work for all apps.

If an app you included still bypasses the VPN, you may have a leak. Run a leak test (IP and DNS) while using only the included app. If your real IP or DNS appears, the split tunneling configuration may be incorrect. Try disabling split tunneling temporarily to verify the VPN works in full-tunnel mode.

If you enabled local network exclusion but still cannot reach local devices, check that the exclusion includes the correct subnet. Some devices use non-standard private IP ranges. You may need to add a custom exclusion. Restart the VPN app after changing split tunneling settings.

Windows VPN apps typically offer the most flexible split tunneling. App-based and IP-based options are common. The Windows Filtering Platform (WFP) allows per-process routing. Look for "Split tunneling," "App exclusion," or "Route only" in your VPN settings. Some corporate VPN clients use different terminology — check your provider's Windows documentation.

macOS supports per-app VPN routing through the Network Extension framework. Not all VPN apps expose this to users. If your app offers split tunneling, it may be under "Network" or "Advanced" settings. Apple's built-in VPN (IKEv2, etc.) has limited split tunneling compared to third-party apps.

On Linux, split tunneling is often configured via routing tables and firewall rules. Some VPN apps provide a GUI; others require manual configuration. If you use OpenVPN or WireGuard directly, you can add route directives to include or exclude specific networks. Document your configuration — it is easy to misconfigure and create leaks.

Android supports per-app VPN (split tunneling) for apps that target recent API levels. You can choose which apps use the VPN and which bypass it. iOS has limited support — "Connect on Demand" with specific configurations can achieve similar results, but full app-based split tunneling is not widely available. Check your VPN app's mobile documentation.

Some corporate VPNs route all traffic through the company network (full tunnel). Others support split tunneling so only work apps and domains use the VPN. If your employer uses full tunnel, you cannot run a personal VPN simultaneously without split tunneling — the corporate VPN would capture everything. If your employer supports split tunneling, you can route work traffic through the corporate VPN and personal traffic through a personal VPN or direct connection.

Some employers prohibit split tunneling for security reasons. They want all traffic — including personal — to pass through corporate inspection. If that is your employer's policy, you must comply. Do not attempt to bypass corporate VPN restrictions; that can violate acceptable use and create security risks. Use a personal VPN only on personal devices and outside work hours if policy allows.

When you need both corporate and personal VPN protection, split tunneling is the only way. Route work apps (Slack, email client, internal tools) through the corporate VPN. Route your browser and other personal apps through the personal VPN or direct connection. Configure carefully — misconfiguration can send work traffic over the wrong path or expose personal traffic to the corporate network.

The more apps you exclude, the more traffic is exposed. Some users exclude browsers, email, and streaming — effectively using the VPN for almost nothing. If you exclude more than one or two apps, reconsider whether you need split tunneling at all. The goal is to exclude the minimum necessary.

You exclude your banking app because it blocks VPN, then forget to remove the exclusion when you switch to a different bank that works with VPN. Or you enable local network access for a one-time printer setup and leave it on indefinitely. Review your split tunneling settings monthly. Remove exclusions that are no longer needed.

Split tunneling on Android and iOS behaves differently than on Windows or macOS. Some apps cannot be excluded. Some VPNs do not offer split tunneling on mobile at all. Check your platform before relying on a mobile split tunneling setup.

You are on public WiFi, traveling, or any untrusted network. You have no specific need for local device access or app exclusion. You want maximum privacy with minimum configuration. You are unsure. Full tunnel is the safe default.

You need to access a NAS, printer, or smart home device while the VPN is on. A specific app (banking, work tool) blocks VPN and you must use it on a trusted network. You run corporate and personal VPNs and need to route traffic separately. You have a clear, documented reason.

Your needs change. An app that blocked VPN may have been updated. Your home network setup may have changed. Set a reminder to review split tunneling settings every few months. Default to full tunnel and add exclusions only when a concrete problem appears.

When you exclude an app, that app may use your system DNS resolver — often your ISP's. Your ISP can then see which domains the excluded app requested. Some VPNs route all DNS through the tunnel regardless of app exclusion; others do not. Check your VPN's documentation and run a DNS leak test while using excluded apps.

Connect to the VPN with split tunneling enabled. Use only an excluded app and visit a DNS leak test site. If your ISP's DNS servers appear, you have a leak. Switch to a VPN that handles DNS consistently, or reduce the number of excluded apps.