Back to Blog
VPN

Split Tunneling: The VPN Feature You're Probably Not Using

By Kunal KhatriMar 9, 2026
Split Tunneling: The VPN Feature You're Probably Not Using

Full VPN tunnelling routes everything through the VPN — your online banking, your streaming, your work email, your game downloads, all of it. This protects everything but often creates problems: slower speeds, inaccessible local network devices, streaming services blocked by VPN detection. Split tunneling fixes this by letting you define which traffic goes through the VPN and which bypasses it.

How It Works

Split tunneling at the application level lets you specify which apps use the VPN. Chrome goes through the tunnel; Steam doesn't. Your work VPN client goes through; your local printer driver doesn't. The OS maintains two routing paths simultaneously — the VPN tunnel for designated traffic, the regular network stack for everything else.

IP-based split tunneling is more granular — you specify which destination IP ranges use the VPN. All traffic to 10.0.0.0/8 (your corporate network) goes through the corporate VPN. Everything else goes direct. This is exactly how most corporate VPN setups work: employee traffic to company systems is tunnelled, personal internet use isn't.

The Privacy Trade-off

Split tunneling is a privacy compromise. The traffic you route outside the VPN is visible to your ISP and the regular surveillance architecture of the open internet. If privacy is the primary reason you're using the VPN, routing some traffic outside it defeats part of the purpose.

The framing matters here. The use case where split tunneling makes sense is when different traffic has different privacy requirements. Your sensitive browsing goes through the VPN. Your Netflix streaming — which doesn't have privacy implications but keeps getting VPN-blocked — goes direct. That's a reasonable trade.

Inverse Split Tunneling

Some VPN clients offer inverse (or 'exclusive') split tunneling — instead of specifying which apps use the VPN, you specify which apps bypass it, and everything else goes through. This is useful when you want most traffic protected but need a few specific applications to use your direct connection for performance or accessibility reasons.

Which VPNs Support It

ExpressVPN, NordVPN, Mullvad, and ProtonVPN all offer split tunneling on at least some platforms. Implementation quality varies — some only support application-level splitting, some only IP-based. Check whether your VPN client supports the granularity you need before assuming the feature works the way you expect.

Split Tunneling in Corporate VPN Environments

Corporate VPNs are often the original split tunneling use case. An employee's VPN only tunnels traffic destined for the company's internal IP ranges — everything else goes direct. This is deliberate policy: the company wants to see its own traffic for security monitoring, but has no interest in routing an employee's personal Netflix browsing through the corporate network.

The risk is that the employee's personal browsing bypasses corporate security tools (DNS filtering, proxy inspection, content filtering). IT departments accept this trade-off because the alternative — routing all employee internet traffic through corporate infrastructure — creates enormous bandwidth costs and privacy concerns. If your company laptop's VPN uses split tunneling, your personal browsing on that device is going out directly to the internet, unmonitored by the company but also unprotected by any of the company's security stack.

Test Your VPN Configuration

Verify which traffic is going through your VPN and whether any leaks exist.

Run Leak Test
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: