Top Picks at a Glance
| Provider | Per-App Tunneling | Per-IP/Domain | Inverse Mode | macOS Support | Price/Mo |
|---|---|---|---|---|---|
| 1. ExpressVPN | Yes | Yes | Yes | Yes | $8.32 |
| 2. NordVPN | Yes (Bypasser) | Yes | Yes | No (macOS limitation) | $3.99 |
| 3. Surfshark | Yes (Bypasser) | Yes | Yes | No (macOS limitation) | $2.49 |
| 4. PIA | Yes | Yes | Yes | Yes (PIA has macOS support) | $2.03 |
| 5. ProtonVPN | Yes | Limited | Limited | No | $4.99 |
Our Picks in Detail
- Split tunneling on Windows, Mac, Android, and ExpressVPN router app
- Per-app mode: select apps to include or exclude from VPN
- Per-IP/domain mode: route specific websites or IPs through or around VPN
- Inverse mode (only selected apps use VPN; everything else goes direct)
- Router-level split tunneling lets you assign whole devices to VPN or direct connection
- Highest price at $8.32/mo
- Split tunneling not available on iOS (Apple restriction, same for all VPNs)
- Bypasser allows per-app and per-website exclusions from VPN tunnel
- Works on Windows and Android — the two most common platforms
- Inverse mode: route only selected apps through VPN
- Meshnet split: LAN devices accessible while internet goes through VPN
- Threat Protection works on both tunneled and direct traffic
- No split tunneling on macOS (Apple/NordVPN limitation)
- No split tunneling on iOS (Apple restriction)
- Bypasser setup requires listing apps/URLs manually
- Bypasser works on Windows and Android
- Inverse Bypasser: only selected apps use VPN, everything else goes direct
- Useful for banking apps that block VPN IPs — add your banking app to bypass list
- Unlimited devices means split tunneling across more devices on one plan
- CleanWeb works on VPN-tunneled traffic
- No split tunneling on macOS or iOS
- Bypasser configuration can be unintuitive for first-time users
- Split tunneling on Windows, macOS, AND Android — unique macOS support
- Per-app and per-IP exclusions
- Inverse mode available
- Open-source apps — split tunneling implementation is auditable
- MACE works on VPN-tunneled traffic only
- US jurisdiction
- App interface less polished than ExpressVPN/NordVPN
- macOS split tunneling occasionally requires app restart after macOS updates
- Open-source split tunneling code — anyone can verify it doesn't log excluded traffic
- Available on Windows and Android
- Per-app exclusion from VPN tunnel
- NetShield applies to VPN-tunneled traffic
- Split tunneling not available on macOS or iOS
- Per-IP/domain split tunneling less flexible than ExpressVPN
- Inverse mode not available on all platforms
Types of Split Tunneling: Which Do You Need?
| Mode | How It Works | Best For |
|---|---|---|
| Include mode (default VPN) | All traffic through VPN; selected apps bypass VPN | Banking apps that block VPN IPs; local network devices |
| Exclude mode (inverse tunneling) | Only selected apps use VPN; everything else goes direct | Torrenting VPN only; keep gaming and streaming on direct connection |
| Per-IP/domain routing | Specific IP ranges or domains go through (or bypass) VPN | Routing work traffic through VPN while personal traffic goes direct |
| Router-level split tunneling | Assign whole devices: some use VPN network, others use direct | Smart TV on direct, laptop on VPN; smart home devices on direct |
Common Split Tunneling Use Cases
- Banking apps: Some banking apps flag VPN IP addresses as suspicious and refuse to load. Add your banking app to the VPN bypass list — it connects with your real IP, while all other traffic remains VPN-protected.
- Gaming latency: Online games are sensitive to latency. If your game server is nearby and VPN adds unnecessary latency, route your gaming client directly while keeping browser and torrenting through VPN.
- Local network access: Printers, NAS devices, and router admin panels only work on your local network. With full VPN on, local traffic may be blocked. Split tunneling can route local IP ranges (192.168.x.x) directly while everything else goes through VPN.
- Video calls: Zoom, Teams, and Google Meet work fine on VPN, but if you experience quality issues, adding the video call app to bypass can restore call quality while keeping other traffic protected.
- Work + personal separation: Use inverse mode to send only your work apps (VPN client, internal tools) through VPN while personal browsing goes direct — useful for employees on company VPN who want to keep personal traffic private from employer monitoring.
Why Split Tunneling Isn't Available on macOS and iOS
Most VPNs don't offer split tunneling on macOS or iOS due to platform restrictions:
macOS: Apple's Network Extension framework (which VPNs must use since macOS 10.15) doesn't provide native per-app traffic routing capabilities. VPNs must implement split tunneling through packet filtering (pf) or custom solutions — which is technically complex and often has edge cases. Only PIA has implemented reliable macOS split tunneling; most others have dropped it or never implemented it.
iOS: Apple's iOS Network Extension framework is even more restrictive. No VPN can implement per-app split tunneling on iOS without Apple's explicit approval (which is granted only for enterprise MDM scenarios). Consumer VPN apps cannot split-tunnel per app on iOS. The workaround is router-level split tunneling — configure split tunneling on your router and assign your iOS device to the appropriate network.
Frequently Asked Questions
What is VPN split tunneling?
Split tunneling divides your internet traffic — some apps or websites route through the VPN's encrypted tunnel while others connect directly to the internet using your real IP. This lets you get VPN privacy for sensitive traffic (torrenting, browsing) while maintaining full speed and your real IP for apps that need it (banking apps, gaming, local network access).
Does split tunneling reduce VPN security?
Split tunneling only reduces security for the traffic you exclude from the VPN — that traffic is no longer encrypted or anonymized. Traffic inside the VPN tunnel remains fully protected. The security implication is that excluded traffic is visible to your ISP as normal. This is an acceptable tradeoff when excluding apps that already have their own security (banking apps with HTTPS) or apps where ISP visibility doesn't matter (local gaming servers).
Which VPN has split tunneling on Mac?
Private Internet Access is the only major commercial VPN with reliable split tunneling on macOS, supporting both per-app and per-IP exclusions. ExpressVPN has removed macOS split tunneling in recent versions. NordVPN and Surfshark do not offer it on macOS. If macOS split tunneling is a priority, PIA is your primary option — or use router-level split tunneling with any VPN, which is a macOS-agnostic approach.