What Split Tunneling Is
A standard VPN in full-tunnel mode routes all of a device's traffic through the encrypted tunnel — every web request, DNS lookup, streaming packet, and game connection exits through the VPN server's IP address. Split tunneling breaks that assumption. Instead of routing everything through the VPN, you choose which traffic uses the tunnel and which traffic goes directly to the internet through your normal ISP connection.
The result is two simultaneous paths: a tunneled path for traffic that needs VPN protection (corporate resources, private browsing), and a direct path for everything else (local network devices, streaming, gaming, cloud backups). Both paths are active at the same time on the same physical connection.
Full Tunnel vs Split Tunnel Trade-offs
| Mode | Where Traffic Goes | Advantages | Disadvantages |
|---|---|---|---|
| Full tunnel | All traffic through VPN | Simple policy, consistent protection, no leaks by design | Higher latency for everything, local devices may break, streaming services may block VPN IPs |
| Split tunnel (include) | Only selected traffic through VPN | Better performance for non-tunneled traffic, local network works normally | Untunneled traffic is exposed to ISP and local network, more complex to configure correctly |
| Inverse split tunnel (exclude) | Everything through VPN except exclusions | Most traffic protected, specific exceptions maintained | Requires careful exclusion list, easy to miss traffic types |
Include-Based vs Exclude-Based Split Tunneling
Include-based split tunneling starts with the assumption that all traffic goes directly to the internet, and you specify which destinations or applications should use the VPN. This is the most common form in consumer VPN clients. You might include only your company's internal IP ranges, or only a specific application like a corporate VPN client.
Exclude-based (inverse) split tunneling starts with everything going through the VPN and lets you carve out exceptions. For example, a corporate VPN might send everything through the company tunnel but exclude local subnet traffic so printers and file shares on the same Wi-Fi network remain reachable. This approach is more common in enterprise VPN configurations such as Cisco AnyConnect and Palo Alto GlobalProtect.
DNS Handling in Split Tunnel Configurations
DNS is the most common source of split-tunnel misconfiguration. When you split tunnel by destination IP, the routing decision happens after DNS resolution — so the DNS query itself must also go to the right resolver.
If your company uses internal DNS names (like app.corp.internal) that only resolve on the company's internal DNS servers, those queries must reach the VPN's DNS server even in a split-tunnel setup. If they instead go to your ISP's resolver or a public resolver like 8.8.8.8, the internal names will fail to resolve and the application breaks.
Good VPN clients handle this with DNS split tunneling: internal domain suffixes are resolved via the VPN's DNS server, while all other lookups use your normal resolver. Poorly configured setups either leak all DNS queries outside the tunnel (a DNS leak) or force all DNS through the VPN unnecessarily. You can verify DNS behavior using a DNS leak test tool after connecting.
Common Use Cases
- Corporate remote access: Route traffic to company IP ranges and internal services through the VPN. Route everything else — streaming, personal browsing, gaming — directly to the internet. This avoids routing all employee internet traffic through the company's network and reduces the load on corporate egress.
- Consumer VPN with streaming: Route traffic to privacy-sensitive destinations through the VPN while letting streaming services access content with your real geographic IP, avoiding VPN blocks on Netflix, Disney+, and similar platforms.
- Home network devices: Keep local network traffic (printers, NAS, smart home devices) off the VPN tunnel so they remain accessible while the VPN is active.
- Low-latency gaming: Keep game traffic on the direct internet path (lower latency) while routing browser or work traffic through the VPN.
Configuring Split Tunneling in Common VPN Clients
In OpenVPN, split tunneling is controlled by whether the server pushes a default gateway route. A full-tunnel config pushes redirect-gateway def1, which overrides the default route. A split-tunnel config omits this and instead pushes only specific subnet routes, leaving all other traffic on the normal default gateway.
In WireGuard, the AllowedIPs setting in the peer configuration controls which destination IPs use the tunnel. Setting AllowedIPs = 0.0.0.0/0 is full tunnel. Specifying only company subnets — for example AllowedIPs = 10.0.0.0/8, 192.168.100.0/24 — creates a split tunnel that only routes those ranges through the VPN.
In GlobalProtect (Palo Alto) and Cisco AnyConnect, split tunneling is configured on the server/gateway side in the VPN profile or access policy. The client receives a route table from the gateway that specifies which subnets are tunneled. End users typically cannot override this — it is an IT policy decision.
Security Risks of Split Tunneling
The primary risk is that traffic outside the tunnel receives no VPN protection. On an untrusted network — a hotel, coffee shop, or conference Wi-Fi — the untunneled traffic is visible to the local network operator and potentially to other users on the same network. This is particularly important for unencrypted protocols, though modern HTTPS reduces the practical risk for web browsing.
DNS leaks are the second major risk. If internal domain lookups escape the tunnel, an external observer can infer which internal services you are accessing. DNS leak tests can confirm whether queries are staying inside the tunnel as intended.
WebRTC leaks are a browser-specific risk. WebRTC, used for video calls and peer-to-peer connections in browsers, can expose your real IP address even when a VPN is active — because WebRTC negotiates peer connections at the browser level rather than the OS network stack. Browser extensions that disable WebRTC or VPN clients with WebRTC leak protection mitigate this.
When to Use Full Tunnel Instead
Use a full tunnel when you are on an untrusted public network with sensitive work, when your organization's security policy requires it, or when you want the simplest and most consistent privacy model without managing per-app or per-route exceptions. The performance cost of full tunneling on a modern VPN server is modest on fast connections, and the simplicity of knowing all traffic is protected is sometimes worth more than the performance gain from splitting.
Frequently Asked Questions
Is split tunneling safe?
It can be safe when configured deliberately for a specific purpose. Traffic outside the tunnel is exposed to the local network and ISP as it would be without any VPN. The risk level depends on what that untunneled traffic contains and the trustworthiness of the network you are on.
Does split tunneling make a VPN faster?
It can improve overall network performance because high-bandwidth traffic like streaming and gaming avoids the encryption overhead and routing detour of the VPN server. The VPN tunnel itself runs at the same speed regardless — split tunneling just keeps some traffic off it.
What is inverse split tunneling?
Inverse (or exclude-based) split tunneling routes everything through the VPN by default and allows specific destinations or applications to bypass it. This is the reverse of include-based split tunneling, which starts with direct internet access and tunnels only selected traffic.