VPN split tunneling lets you choose which apps or websites use your Virtual Private Network (VPN) and which use your regular internet connection. Selective traffic routing can boost performance and save bandwidth. This makes it easier to stream, play games, or access LAN devices such as printers. However, split tunneling can also introduce security risks, so it’s important to use it safely.
When split tunneling is enabled, some of your online activity bypasses the VPN. Any unencrypted data traveling outside the tunnel is visible to your local Wi-Fi provider, your Internet Service Provider (ISP), or anyone connected to the same public Wi-Fi network. This can expose unprotected apps to potential cyberattacks.
Used incorrectly, split tunneling may lead to data leakage, exposure of sensitive data, or even malware infections. In this guide, we’ll explain how VPN encryption works – and how to use split tunneling without compromising your security.
What is VPN encryption?
A VPN is a network security tool that allows internet users to create an encrypted tunnel between their device and a proxy server or remote corporate network. This encrypted VPN tunnel ensures data security and tracking prevention. Which means you can browse the internet privately and be safe against eavesdropping or hackers.
How individuals and businesses use VPN encryption to stay safer online:
- For home users, a VPN provides privacy, data security, and the ability to spoof location. It prevents website tracking, stops mandatory data retention, and allows VPN subscribers to change their IP address to appear as if they’re in another country or state.
- For businesses, a VPN allows secure remote access to corporate networks and resources. This ensures access to company resources when working from home, using public Wi-Fi, or connecting via mobile data.
How VPN encryption works
A VPN’s encryption secures your data before it leaves your device. Once encrypted, all traffic sent through the VPN tunnel is protected against unwanted tracking (by local networks, Internet Service Providers, hackers, and government snoops).
VPN encryption also hides your real IP address from the websites and services you visit. This hides your physical location, helping prevent website tracking and data collection that enable online profiling (and targeted advertising). It also allows you to access region-locked content such as Netflix US, Hulu, or BBC iPlayer while traveling.
Reliable consumer VPNs use secure tunneling protocols like OpenVPN, WireGuard, and IKEv2. These protocols have been independently audited and proven to deliver fast speeds, along with military-grade encryption.
This means you can use the best VPNs to protect your online privacy while maintaining the fast speeds needed for everyday tasks such as streaming, gaming, and torrenting. The only caveat? Not all VPNs are reliable or secure, so stick to those that have been fully tested.
What is VPN split tunneling?
VPN split tunneling lets you use your VPN connection alongside your regular, unprotected internet connection. The easiest way to picture it is as two separate pipes running from your device – one carrying your encrypted VPN traffic, and the other carrying regular internet traffic (which websites will recognize as coming from your real IP address).
This setup gives you flexibility. You can route certain activities outside the VPN tunnel while keeping sensitive tasks – such as torrenting or accessing confidential data – locked inside the encrypted VPN tunnel. Split tunneling can also improve performance by keeping tasks that don’t require privacy routed through your normal internet connection (which ensures you get the full speed you pay your ISP for).
What’s more, split tunneling also helps prevent overloading system resources (memory and processing power). By routing only sensitive apps and websites through the VPN, you reduce the need for your VPN client to encrypt and decrypt all outgoing data. This keeps your device running smoothly and improves performance for data-intensive programs such as games.
Read our complete guide to VPN tunneling for a more detailed technical overview of how split tunelling works.
Types of split tunneling with consumer VPNs
Most consumer VPNs offer application-based split tunneling, which lets you select specific apps that bypass the VPN. Some providers also offer inverse split tunneling, which works in the opposite direction. This lets you specify which apps should use the VPN while all others stay outside the tunnel.
Inverse split tunneling can sometimes be configured to work in conjunction with an auto-connect feature. This causes the VPN connection to automatically engage whenever you launch an app with the inverse split tunneling rule.
A few advanced VPNs also include rules-based split tunneling. This allows you to whitelist domains (URLs) that should always use your regular unprotected internet connection. This ensures those websites always receive traffic from your real home IP address, which is useful for services that block or flag VPN traffic (such as Steam, Fiverr, Upstart, poker websites, online bookies, government gateways, and internet banking).
What are the dangers of split tunneling?
Recommended VPNs have undergone independent feature audits. This means they successfully route traffic in and out of the tunnel simultaneously (based on your split-tunneling choices) without exposing your network or device to unnecessary risks.
That said, using split tunneling still introduces some vulnerabilities that home VPN users need to be aware of. Below, we’ve listed the main risks of enabling split tunneling:
1. Exposure of sensitive data
When you enable split tunneling, you intentionally limit the protection that your VPN provides. A default full VPN setup leaves no room for error. It ensures that local networks (whether at home, at work, or on public Wi-Fi) can never see your DNS requests or the contents of your internet traffic.
This prevents eavesdroppers from tracking your browsing history or communications metadata, which could allow anyone monitoring your connection to see who you’re communicating with – whether you’re sending an email or sharing data via P2P while torrenting.
As soon as you set split tunneling to remove an application from the VPN tunnel, everything you do via that app becomes unprotected. The split-tunneling feature compromises your privacy by design, though it can be useful in specific circumstances. However, it also creates risks if you later forget that you enabled split tunneling.
The solution? Always disable split tunneling after using it to ensure your VPN resumes providing complete privacy for all apps and services.
2. Bypassing corporate network security
Forcing all corporate traffic to pass through the VPN ensures that data remains encrypted in transit. It also centralizes network access, allowing IT teams to focus on securing a single entry point (for example, through Zero Trust authentication, robust firewalls, and SaaS-based threat prevention tools that block unwanted connections).
However, if employees enable split tunneling, they could expose certain traffic outside the VPN tunnel. This can reveal the company’s real IP address to third parties, increasing the risk of the network being probed for vulnerabilities (open ports, insecure apps, or other potential attack vectors).
Split tunneling can also bypass administrators’ private DNS rules that block access to known phishing or malware-hosting domains.
The solution? Disable split tunneling for any data entering or leaving the corporate network. This ensures that all company traffic flows through the same secure gateway, making it easier to enforce perimeter security policies and monitor for threats.
3. Split tunneling can open the door to cyberattacks
Whether you are a home internet user or a small business owner, split tunneling can introduce risks. One of the most important uses of a VPN is to hide your home IP address from the websites and services you use.
A VPN also prevents you from exposing your IP address directly to other users via the internet, Peer-to-Peer. This allows you to set up game servers, make VoIP calls, use P2P apps, or engage in file-sharing (torrenting) without exposing your home IP address to unwanted third parties.
Once your IP address is exposed, hackers can add your smart home devices to a botnet. They can also take control of network devices to spy on them. For example, they might access web-connected cameras or microphones.
If a hacker finds an open port or insecure device, they can use it to gain a foothold. From there, they can spread malware, spyware, or other dangerous exploits, such as viruses, worms, or ransomware, across your network.
These attacks can lead to data theft, account takeovers, and fraud. They may even cause identity theft or other online scams. That’s why you should always monitor your split-tunneling use and limit it to secure apps or services that truly don’t need extra privacy protection.
4. Creates a threat of malware and phishing
Enabling split tunneling disables privacy for certain apps or services. This can create a serious threat of malware infection or phishing attacks. When data bypasses the encrypted VPN tunnel, it travels across the internet without the protection of your VPN’s encryption. This creates a risk of tracking and of your IP address being exposed.
If all your traffic passes through a VPN, network security systems such as firewalls, intrusion detection, and threat monitoring can often detect and block suspicious connections to malicious servers – such as the command-and-control servers that Remote Access Trojans (RATs) use to send data back to attackers.
When you enable split tunneling, you send infected or compromised traffic outside the secure corporate perimeter, allowing it to evade company oversight and exposing the network to attack.
Home users face the same risk. If you access a compromised app or phishing website outside the VPN tunnel, you allow malicious traffic to reach your devices. Once malware infects your system, it spreads and gives attackers direct access to your data, apps, and services before the VPN can encrypt them. As a result, hackers can monitor not just your activities but also your files, programs, and sensitive information.
To stay safe: only use split tunneling with trusted apps and verified websites, and always maintain up-to-date antivirus software with real-time protection to detect and block suspicious activity.
5. Non-compliance with data privacy regulations
Many businesses use VPNs to protect consumer data and other sensitive company information, which could lead to fines if exposed.
Whether a business needs to comply with consumer privacy regulations such as GDPR or CCPA, or the company uses a VPN to enforce stronger perimeter security, it’s vital to ensure that split tunneling isn’t creating gaps in those defenses.
Poorly implemented split tunneling can increase the risk of cyberattacks or accidental data leaks. This, in turn, could result in non-compliance with data privacy and cybersecurity regulations such as the FTC Act, HIPAA, CCPA, GDPR, or the SEC Cybersecurity Disclosure Rules.
In these cases, the vulnerabilities or attack vectors caused by improper split tunneling configurations could expose the business to fines, legal repercussions, and other liabilities.
How to avoid VPN split tunneling security risks
If you intend to use VPN split tunneling in your VPN app, you must do so safely. To help you out, we have included a list of split tunneling rules you can use to prevent as many split tunneling security risks as possible:
- Only let trusted apps bypass the VPN. Avoid whitelisting traffic from apps downloaded outside official app stores, as they may contain spyware, exploits, or malware that could allow hackers to steal or track data on your device.
- Stick to secure, verified websites. Always use sites with HTTPS encryption. Avoid free download sites, third-party app repositories, illegal streaming and piracy sites, and other dodgy pages that could expose you to phishing or malware. Don’t follow unverified links received in messages or emails, as these could lead to phishing or malware infections
- Never use split tunneling on public Wi-Fi. Browsing without VPN protection on open networks can expose your traffic to hackers or network snoops. If you need to use public Wi-Fi, enable full-device VPN protection without split tunneling.
- Learn how your VPN’s split tunneling mode works. With inverse split tunneling, only selected apps are protected by the VPN while everything else stays exposed to tracking. By understanding how split tunneling works with your VPN, you can make safer and more informed choices.
- Use split tunneling sparingly. If possible, only remove one app or website from the VPN tunnel instead of protecting just one app. This approach keeps most of your traffic secure and minimizes risk if you forget to disable it later.
- Turn split tunneling off after using it. Leaving it on accidentally is one of the most common ways users expose themselves to tracking and other privacy threats. Don’t let it give you a false sense of security – always disable it once you’re done.
- Never use split tunneling to bypass the VPN for P2P activities. This exposes your home IP address to third parties, allowing hackers to probe your network for vulnerabilities or exploit insecure devices.
Which VPNs offer secure split tunneling?
Are you interested in using a VPN for some activities but not others? Need a VPN that protects your torrents while letting you use your regular home internet connection for everything else? We’ve included our list of the best split tunneling VPNs below – follow the link for more details.
- NordVPN: Best overall split tunnel VPN. Supports app-based split tunneling on Windows, Android, and Android TV, plus domain exclusions in its browser extension. It’s ideal for users who want flexible control over which apps use the VPN while maintaining strong encryption and fast speeds.
- Surfshark: Best value split-tunneling VPN. Offers split tunneling via its “Bypasser” feature on Windows, Android, macOS, and browser extensions. It’s perfect for users who want affordable control over which apps stay protected and which run outside the VPN.
- ProtonVPN: Provides split tunneling on Windows and Android, with Linux support in beta. It’s a great pick for privacy-focused users who want selective routing backed by Swiss jurisdiction and a strict no-logs policy. Also includes port forwarding, which is ideal for torrenting enthusiasts.
- ExpressVPN: Includes split tunneling on Windows, Android, and select router apps. Combines flexibility with excellent performance for users who want to balance privacy and speed.
- IPVanish: Supports split tunneling on Windows, Android, and Fire TV. Ideal for users who want detailed control of their traffic while maintaining strong encryption and reliable privacy protection.
WANT TO TRY THE TOP VPN RISK-FREE?
NordVPN is offering a fully featured, risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 for split tunneling with no restrictions for a month—great if you need time to test if it’s the right VPN for you.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you, and you'll get a full refund. Start your NordVPN trial here.
When should I use split tunneling?
Split tunneling comes in handy when you want to balance speed, privacy, and convenience. It lets you decide which apps or websites use the VPN and which connect directly to the internet. This gives you more control over which activities require privacy and which are fine to use at full speed.
For example, you can use split tunneling to save bandwidth by keeping low-risk tasks like streaming or gaming outside the VPN tunnel. This keeps your connection running faster while still protecting sensitive activities like file sharing. Just remember that you’ll need to connect to your VPN if you want to stream your account from abroad (which is one of the main advantages of using a VPN for streaming access).
It’s also useful if you need to access local network devices such as printers, NAS storage, or other smart home gadgets that won’t let you connect when the VPN is active. Split tunneling lets you stay connected to your home network while also keeping your internet-bound traffic private.
Another benefit is that split tunneling reduces strain on system resources. Encrypting all your internet traffic can be demanding for older laptops or phones, so routing only essential apps through the VPN can help free up memory and processing power.
Finally, split tunneling is perfect when you want more flexibility online. You can use split tunneling to watch local streaming services through your regular home connection while downloading privately (or in any other way that suits your needs), but use it carefully to stay secure.
Split tunneling security risks FAQs
Can you choose which traffic goes through a VPN split tunnel?
Yes. When you subscribe to a market-leading consumer VPN brand (like the ones recommended in this guide), you’ll be able to use Split Tunneling to choose which apps or websites use the VPN and which connect directly to the internet.
What is SASE (Secure Access Service Edge)?
SASE is an enterprise security framework that combines networking and cybersecurity tools such as VPNs, firewalls, and zero-trust access into a single cloud-based service. It’s designed for businesses that need to securely access corporate resources without relying on traditional on-site hardware.
Companies using VPNs as part of a SASE setup must ensure that split tunneling is configured to work securely alongside other integrated SASE systems. Compliance with security standards and regulations should also be carefully considered.
Home users with a consumer VPN don’t need to worry about SASE or other corporate network integrations.
What is dynamic split tunneling?
Some VPN providers are starting to experiment with dynamic split tunneling. This setup allows the VPN application to decide whether to route traffic inside or outside the VPN tunnel based on its sensitivity. For example, banking or work apps might go through the VPN, while low-risk apps (like streaming or gaming) connect directly to the internet.
This automated approach can improve performance, but it also introduces privacy risks by removing the user’s ability to definitively know what traffic is being routed inside the VPN tunnel.
For the highest level of privacy, we recommend using split tunneling manually: Only whitelist apps that truly require no privacy protection, and keep all other traffic securely encrypted inside the VPN tunnel.
How do I enable split tunneling in my VPN app?
Launch your VPN app and open the settings menu. Locate the split tunneling feature and turn it on. You’ll then be asked to choose which apps or domains to exclude from the VPN tunnel for the duration of your session.
Remember to disable split tunneling once you’re done. If you forget, those apps could remain exposed in future VPN sessions, putting your privacy and security at risk.
