How Split Tunneling Works
A standard VPN in full-tunnel mode routes all your device's traffic through the encrypted VPN connection — every DNS lookup, every HTTP request, every background app update. Split tunneling selectively routes only designated traffic through the VPN while the rest goes directly through your normal ISP connection. The VPN client maintains two simultaneous routing paths: a default route for normal internet traffic, and a specific route for VPN-bound traffic, applied based on application, IP range, domain, or a combination.
Most modern VPN clients implement split tunneling in one of two ways: an inclusion list (only the listed apps/IPs use the VPN; everything else goes direct) or an exclusion list (everything uses the VPN except the listed apps/IPs). Inclusion lists are more conservative and generally safer; exclusion lists are easier to manage for work VPN setups where you want most traffic on the VPN but need to exclude a few local resources.
Full Tunnel vs Split Tunnel Comparison
| Characteristic | Full Tunnel | Split Tunnel |
|---|---|---|
| Traffic routing | All traffic through VPN | Selected traffic only |
| Speed impact | VPN overhead on everything | Only VPN-bound traffic affected |
| Local device access | Usually blocked (printer, NAS, Chromecast) | Local network remains accessible |
| ISP visibility | ISP sees only VPN server, not destinations | ISP sees non-VPN traffic destinations |
| DNS leaks possible | Less likely if VPN handles DNS | More likely; DNS config must match routing |
| Best for | Public Wi-Fi, high-privacy use, regulated work | Work VPNs, gaming, streaming, home labs |
Practical Split Tunnel Configurations
Work VPN with split tunneling: send traffic to company IP ranges and internal domains through the work VPN; let everything else (streaming, personal browsing, gaming) go direct. This is the most common enterprise use case — it reduces VPN server load, prevents the company from seeing personal traffic, and keeps streaming services from thinking you are in the wrong country.
Privacy VPN with split tunneling: route only specific privacy-sensitive apps (Tor Browser, a torrent client, a messaging app) through the VPN while gaming, video calls, and large downloads go direct. This preserves speed for bandwidth-heavy applications while maintaining VPN coverage for the specific apps where it matters.
Home lab access: use split tunneling in a mesh VPN (Tailscale, ZeroTier) to reach home lab devices through the VPN while all other internet traffic goes directly. Set the VPN to advertise only your home subnet route, not as a default gateway.
The DNS Leak Problem
Split tunneling creates a common DNS leak scenario. Your traffic routing may correctly send application data through the VPN, but if DNS queries for VPN-bound domains still go to your ISP's resolver, the ISP can see which domains you are resolving — even if the actual connection happens through the VPN. This is a partial leak that defeats some privacy goals without breaking connectivity.
To test for DNS leaks: enable split tunneling, then visit a DNS leak test site (dnsleaktest.com, ipleak.net). If you see your ISP's DNS resolvers in the results for traffic that should be on the VPN, your DNS is leaking. Fix options include configuring your VPN client to use per-domain DNS routing rules, manually setting the DNS server on your device to a VPN-provided resolver, or using a VPN client that handles DNS split tunneling automatically.
When to Use Full Tunnel Instead
Split tunneling has real security tradeoffs. Use full tunnel in these situations:
- Untrusted public Wi-Fi: the threat model here is an attacker on the same network. Full tunnel prevents all traffic from being exposed on the local network segment.
- Regulated workplace requirements: many compliance frameworks require that all traffic from work devices pass through corporate monitoring. Split tunneling circumvents this and can create compliance violations.
- You want to hide all traffic patterns from your ISP: split tunneling leaves non-VPN traffic visible to your ISP. If hiding your browsing destinations is the point, full tunnel is necessary.
- You cannot audit what traffic is inside vs outside the tunnel: if the list of VPN-routed traffic is unclear or managed automatically, full tunnel removes the ambiguity.
Frequently Asked Questions
Does split tunneling reduce VPN speed for traffic that goes through the VPN?
No — split tunneling does not change how the VPN processes traffic that goes through it. The VPN overhead per packet is the same whether you are in split-tunnel or full-tunnel mode. The benefit is that heavy traffic like streaming and downloads no longer adds to the VPN server's load and does not consume your VPN bandwidth allocation. If your VPN has bandwidth limits or rate limiting, split tunneling can significantly improve the experience for both VPN and non-VPN traffic by reducing load on the tunnel.
Can split tunneling be detected by the VPN server?
The VPN server only sees the traffic sent through the VPN — it cannot see what is going direct. Your ISP, however, can see all traffic that does not go through the VPN. If your goal is to hide browsing patterns from the VPN provider, split tunneling does not help for the traffic that goes through the VPN. If your goal is to hide some traffic from your ISP, only the traffic routed through the VPN is protected.
Why does my local network stop working in full-tunnel mode?
Full-tunnel VPN replaces the default route on your device, routing all traffic to the VPN server first. Local network resources (printers, NAS drives, smart home hubs, Chromecasts) are on your home subnet, and traffic to them also gets routed to the VPN server — which cannot reach your local network. The fix is to use split tunneling specifically to exclude your local subnet (192.168.x.x or 10.x.x.x) from the VPN while keeping everything else inside it.