What Is VPN Split Tunnelling?
VPN split tunnelling is a feature that lets you choose which of your network traffic routes through the VPN and which goes directly through your normal internet connection - Simultaneously. Instead of an all-or-nothing tunnel, split tunnelling gives you precise control over each app or IP range.
How Split Tunnelling Works
| Mode | What Gets Tunnelled | What Goes Direct | Best Use Case |
|---|---|---|---|
| App-based include | Only selected apps (e.g., torrent client, browser) | Everything else | Route only sensitive apps through VPN while gaming or streaming locally at full speed |
| App-based exclude | Everything except listed apps | Selected apps bypass VPN | Keep VPN on by default but allow local banking app to use your real IP to avoid fraud flags |
| IP/subnet-based | Traffic to specific IP ranges or domains | All other traffic | Corporate remote access - Only route company intranet traffic through work VPN |
| Inverse split tunnel | Everything except whitelisted local IPs | Local network (printers, NAS) | Access local devices while VPN is active |
Common Use Cases for Split Tunnelling
- Banking apps: Route your bank's app direct so your real IP is used - Banks may flag logins from VPN/datacenter IPs as suspicious.
- Local streaming: Keep your local streaming service (Netflix, Hulu) on your real connection for correct regional content while routing everything else through the VPN.
- Gaming: Keep your game traffic direct for lowest possible ping; route your browser through the VPN for privacy.
- Remote work: Only route traffic to your company's servers through the work VPN; keep your personal browsing separate.
- Large file downloads: Route your download manager direct for maximum speed while protecting your browser and messaging apps.
Risks of Split Tunnelling
- Traffic routed outside the VPN is visible to your ISP and any network observer - Do not assume unrouted traffic is private.
- WebRTC in your browser may leak your real IP even when the browser itself is routed through the VPN, if a non-VPN network interface is active. Test with our VPN Leak Test.
- DNS queries for excluded apps may bypass the VPN's DNS resolver - Enable DNS leak protection or set a system-wide secure DNS resolver separately.
- If your kill switch only blocks VPN-routed traffic, non-VPN traffic continues unaffected if the VPN drops - Which may be desirable or not depending on your use case.
Provider Support for Split Tunnelling
| Provider | Split Tunnelling | Platforms Supported | Type |
|---|---|---|---|
| NordVPN | ✓ Yes | Windows, Android | App-based exclude/include |
| ExpressVPN | ✓ Yes | Windows, Mac, Android, routers | App-based exclude |
| Surfshark | ✓ Yes (Bypasser) | Windows, Android | App-based + URL-based |
| ProtonVPN | ✓ Yes | Windows, Android, Linux (CLI) | App-based exclude |
| Mullvad | ✓ Yes | All platforms | Split tunnelling via app + CLI |
| Private Internet Access | ✓ Yes | Windows, Mac, Android | App-based |
| CyberGhost | Partial | Windows, Android only | App-based |