VPN Split Tunneling - You Do Not Need to Route Everything Through the VPN
When you use a VPN, all of your internet traffic is routed through the VPN server. While this is ideal from a security standpoint, it introduces speed penalties and can prevent access to local network resources like printers and NAS devices.
Split tunneling solves this problem. It selectively routes some traffic through the VPN tunnel while letting the rest travel directly over your normal internet connection, balancing security with usability. However, misconfiguration can create a false sense of security where you believe you are protected but are not.
How Split Tunneling Works
In a standard VPN connection (full tunnel), every packet from your device is sent to the VPN server first, then forwarded to the internet. With split tunneling, the VPN client manipulates the device's routing table to direct only specific traffic into the VPN tunnel while the rest exits through the default gateway (your regular router).
Technically, the VPN client creates two routing entries: traffic destined for specified IP ranges (e.g., a corporate network at 10.0.0.0/8) is routed to the VPN interface, while everything else follows the default route to your local router.
Two Modes of Split Tunneling
- Include Split (Whitelist): Only specified traffic goes through the VPN. Everything else uses the normal connection
- Exclude Split (Blacklist): All traffic goes through the VPN except for specified exclusions
For security-conscious users, exclude split (VPN by default, with minimal exceptions) is recommended. For convenience-focused users, include split (only essential traffic through VPN) is more practical.
Full Tunnel vs. Split Tunnel - A Side-by-Side Comparison
| Aspect | Full Tunnel | Split Tunnel |
|---|---|---|
| Traffic path | All traffic via VPN | Selected traffic via VPN only |
| Speed | Overall reduction | Non-VPN traffic retains full speed |
| Security | All traffic encrypted | Non-VPN traffic is unencrypted |
| Local access | Blocked (requires extra config) | Available |
| DNS leak risk | Low | High (depends on configuration) |
| VPN server load | High | Low (only necessary traffic) |
In enterprise remote work environments, full tunnel routing forces all employee traffic - including YouTube and social media - through the VPN server, saturating bandwidth. Switching to split tunneling for corporate-only traffic can reduce VPN server load by 60-80% in many cases.
Security Risks to Understand
Split tunneling trades security for convenience. You must understand the following risks before enabling it.
DNS Leak Risk
DNS queries for VPN-routed traffic can leak outside the tunnel to your ISP's DNS servers. This is known as a DNS leak. In a split tunneling configuration, improper DNS settings can expose the domain names of your VPN-routed destinations to your ISP.
The fix is to lock your VPN client's DNS to the VPN provider's DNS servers, or configure DNS queries to always travel through the VPN tunnel regardless of the split tunneling policy.
Malware Lateral Movement
With split tunneling, your device simultaneously connects to the VPN-protected corporate network and the unprotected internet. If malware infects your device through the internet-facing connection, it can pivot laterally into the corporate network through the VPN tunnel.
IP Address Exposure
Traffic excluded from the VPN reveals your real IP address - the one shown on IP Checker - directly to the destination server. If you use a VPN for privacy, be aware that excluded traffic leaks your actual IP address and location.
When to Use Each Mode
Whether to use split tunneling depends on your use case and threat model.
- Full tunnel is appropriate when: Using public Wi-Fi, privacy protection is the top priority, or corporate security policy mandates it
- Split tunnel is appropriate when: Working remotely and needing both corporate systems and general web browsing, maintaining streaming video quality, or accessing local network devices (printers, NAS)
Your choice of VPN protocol also affects speed. High-performance protocols like WireGuard can minimize the speed penalty of full tunnel mode, potentially eliminating the need for split tunneling altogether.
Consider combining split tunneling with a VPN kill switch. In a split tunnel configuration, the kill switch blocks only VPN-designated traffic when the connection drops, while non-VPN traffic continues unaffected.
Summary - Split Tunneling Requires Informed Use
Split tunneling is a practical solution to VPN speed and usability problems. However, it deliberately opens gaps in your security perimeter. Deciding what to route through the VPN and what to exclude requires understanding the sensitivity of each traffic flow.
When in doubt, start with full tunnel mode and switch to exclude split only when speed or local access issues arise, keeping the exclusion list as small as possible.
For a deeper understanding of VPN technology, networking books are a valuable resource.