Split Tunneling: The VPN Feature You're Probably Not Using
Full VPN tunnelling routes everything through the VPN — your online banking, your streaming, your work email, your game downloads, all of it. This protects everything but often creates problems: slower speeds, inaccessible local network devices, streaming services blocked by VPN detection. Split tunneling fixes this by letting you define which traffic goes through the VPN and which bypasses it.
How It Works
Split tunneling at the application level lets you specify which apps use the VPN. Chrome goes through the tunnel; Steam doesn't. Your work VPN client goes through; your local printer driver doesn't. The OS maintains two routing paths simultaneously — the VPN tunnel for designated traffic, the regular network stack for everything else.
IP-based split tunneling is more granular — you specify which destination IP ranges use the VPN. All traffic to 10.0.0.0/8 (your corporate network) goes through the corporate VPN. Everything else goes direct. This is exactly how most corporate VPN setups work: employee traffic to company systems is tunnelled, personal internet use isn't.
The Privacy Trade-off
Split tunneling is a privacy compromise. The traffic you route outside the VPN is visible to your ISP and the regular surveillance architecture of the open internet. If privacy is the primary reason you're using the VPN, routing some traffic outside it defeats part of the purpose.
The framing matters here. The use case where split tunneling makes sense is when different traffic has different privacy requirements. Your sensitive browsing goes through the VPN. Your Netflix streaming — which doesn't have privacy implications but keeps getting VPN-blocked — goes direct. That's a reasonable trade.
Inverse Split Tunneling
Some VPN clients offer inverse (or 'exclusive') split tunneling — instead of specifying which apps use the VPN, you specify which apps bypass it, and everything else goes through. This is useful when you want most traffic protected but need a few specific applications to use your direct connection for performance or accessibility reasons.
Which VPNs Support It
ExpressVPN, NordVPN, Mullvad, and ProtonVPN all offer split tunneling on at least some platforms. Implementation quality varies — some only support application-level splitting, some only IP-based. Check whether your VPN client supports the granularity you need before assuming the feature works the way you expect.
Split Tunneling in Corporate VPN Environments
Corporate VPNs are often the original split tunneling use case. An employee's VPN only tunnels traffic destined for the company's internal IP ranges — everything else goes direct. This is deliberate policy: the company wants to see its own traffic for security monitoring, but has no interest in routing an employee's personal Netflix browsing through the corporate network.
The risk is that the employee's personal browsing bypasses corporate security tools (DNS filtering, proxy inspection, content filtering). IT departments accept this trade-off because the alternative — routing all employee internet traffic through corporate infrastructure — creates enormous bandwidth costs and privacy concerns. If your company laptop's VPN uses split tunneling, your personal browsing on that device is going out directly to the internet, unmonitored by the company but also unprotected by any of the company's security stack.
Test Your VPN Configuration
Verify which traffic is going through your VPN and whether any leaks exist.
Run Leak TestAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
VPN Logging Policies: What 'No Logs' Actually Means
'No logs' is the most abused phrase in VPN marketing. What a VPN can technically claim while still logging everything that matters is more than you'd expect.
SOCKS5 vs HTTP Proxy: Which One Should You Use
SOCKS5 and HTTP proxies both route your traffic through an intermediate server. The difference in protocol, capability, and appropriate use cases is significant.
WebRTC Leaks: The VPN Hole Nobody Warns You About
WebRTC is built into browsers for video and audio calls. A side effect is that it can expose your real IP address even when a VPN is active — and most VPN clients don't fix it.
Proxy vs VPN: They're Not the Same Thing
Both a proxy and a VPN can change your apparent IP address. The difference in how they work — and what they protect — is significant.
