Split tunneling is a VPN feature that lets you route some traffic through the VPN and other traffic outside the VPN. Most consumer VPN providers support it. Most users never enable it. The right answer depends on what you are trying to accomplish.
This piece explains what split tunneling is, when to use it, when not to, and how to think about the trade-offs.
What split tunneling is
By default, when you enable a VPN, all your network traffic is encrypted and routed through the VPN provider’s server before reaching the public internet. This is “full tunnel” mode.
Split tunneling lets you specify exceptions. Some traffic goes through the VPN; other traffic goes directly through your normal internet connection. The split can be configured by application (per-app split tunneling) or by destination (specific websites or IP ranges bypass the VPN).
For example, you might configure: my web browser routes through the VPN for privacy, but my video conferencing app routes directly to avoid latency, and my smart home devices stay on the local network.
Why use split tunneling
The most common practical reasons:
Streaming services that block VPN traffic. You can split-tunnel Netflix, Hulu, BBC iPlayer outside the VPN so they work without disabling the VPN entirely.
Banking and payment services that flag VPN IPs as fraud. Split-tunnel these outside the VPN to avoid the constant additional verification challenges.
Local network devices that need direct access. Your printer, your smart TV, your home assistant might not work correctly if all traffic is routed through a VPN exit hundreds of miles away.
Speed-sensitive applications. Video calls, online gaming, real-time tools work better without the VPN’s added latency. Split-tunnel them direct.
Specific work applications that require certain IP ranges. Some VPNs (corporate or otherwise) need to be reached from specific IPs.
Why not use split tunneling
Reduces the privacy benefit you are paying for. The whole point of a VPN is that your real IP and traffic patterns are hidden. Anything you split-tunnel outside the VPN is exposed to your ISP and to whatever services you connect to.
Adds operational complexity. You have to maintain the list of what is split-tunneled. As your apps and habits change, the configuration drifts. Things that should be tunneled accidentally are not.
Creates inconsistency. Some sessions on a particular app go through the VPN; others do not. Difficult to reason about and easy to make mistakes.
For users whose primary motivation for using a VPN is privacy: minimize split tunneling. Only split-tunnel when there is a specific functional need.
For users whose primary motivation is geographic IP (streaming from another country, etc.): full tunnel and accept the trade-offs is usually simpler.
Per-app versus per-destination
Per-app split tunneling: you specify which applications use the VPN and which do not. The OS-level configuration determines routing based on the originating app. Available on Windows, macOS, Android, but not iOS (Apple does not allow per-app VPN routing for consumer apps).
Per-destination split tunneling: you specify which IP ranges or domains bypass the VPN. Routing is based on the destination, regardless of which app initiated the connection. Works on more platforms because it operates at the network layer, not the app layer.
Per-app is easier to configure (you pick apps from a list). Per-destination is more flexible but requires you to know IP ranges or domains.
Most VPN providers support one or both. Mullvad, ProtonVPN, NordVPN, ExpressVPN, Surfshark all have split tunneling on at least Windows and Android.
How to configure it
The exact UI varies by provider, but the pattern is similar:
Open the VPN app. Find the Split Tunneling settings (sometimes under “Advanced” or “Network”).
Choose between two modes:
- Allow listed apps/domains through the VPN, exclude everything else (more permissive, higher risk of leaks)
- Exclude listed apps/domains from the VPN, route everything else through (more restrictive, safer default)
Add the apps or domains you want excluded.
Save and verify the configuration with a test (use a tool like ipchecker on a “tunneled” app to verify it shows the VPN IP, then on an “excluded” app to verify it shows your real IP).
Common pitfalls
DNS leaks. Your VPN’s DNS protection may not apply to traffic that is split-tunneled. Configure DNS settings explicitly to ensure no leaks.
IPv6 traffic. Most consumer VPNs handle IPv4 split tunneling but may not handle IPv6 correctly. If you have IPv6 enabled, verify the split-tunneled traffic does not leak via IPv6.
App updates that break configurations. When an app updates, the file path may change, breaking your split-tunneling rule that pointed at the old path.
OS updates that change behavior. Operating system updates occasionally change how VPN clients handle split tunneling. Re-verify after major OS updates.
Mixing per-app and per-destination rules. Some VPN clients allow both simultaneously, but the interaction can be unintuitive. Stick to one approach.
A specific recommendation
For users whose primary VPN motivation is privacy: do not use split tunneling unless you have a specific concrete need. The privacy reduction outweighs the convenience for most cases.
For users whose primary motivation is streaming: enable split tunneling for streaming apps that need it, full tunnel everything else.
For users in environments where some apps require direct access (local network printers, work VPNs, banking apps): enable split tunneling for the specific apps that need direct access.
For users who do not understand the trade-offs: leave split tunneling off. Full tunnel is the safe default.
For users debugging connection issues: use split tunneling temporarily to isolate which apps work and which do not, but return to full tunnel after debugging.
NordVPN split tunneling docs | ExpressVPN split tunneling docs | Mullvad split tunneling docs
Related: Best VPN for streaming Netflix US, NordVPN editorial, ProtonVPN editorial