Full Tunnel vs Split Tunnel vs App-Based Split
| Mode | What It Routes | Speed Impact | Security Posture | Best For |
|---|---|---|---|---|
| Full tunnel | All traffic — corporate, SaaS, personal browsing — through company VPN | High overhead; all traffic limited by VPN gateway capacity | Highest — all traffic inspectable by corporate security | Compliance-heavy roles; handling regulated data (finance, healthcare, government) |
| Split tunnel by subnet | Only traffic to corporate IP ranges goes through VPN; everything else is direct | Low overhead for non-corporate traffic | Good — corporate traffic still inspected; personal traffic not routed through employer network | Most remote work scenarios; the standard configuration when IT allows it |
| App-based split tunnel | Specific applications (e.g., Outlook, internal tools) use VPN; others do not | Minimal overhead | Medium — depends on which apps are included | Managed devices with MDM; fine-grained control over individual applications |
| Inverse split tunnel | Everything through VPN except explicitly listed destinations (e.g., Microsoft 365 IPs) | Better than full tunnel for specified services | High for everything except the carved-out list | Organizations that want monitoring but exempt specific high-volume SaaS services |
Why Full Tunnel Hurts Remote Workers
In a full-tunnel configuration, every packet you send — including a Zoom call to someone in your city, or loading Google Docs — travels to the company VPN gateway first, then back out to the internet. This creates several problems:
- Hair-pinning latency: if the VPN gateway is in Chicago and you are in Seattle, your Zoom call to a Seattle colleague bounces to Chicago and back — adding 40–80ms RTT
- Gateway congestion: corporate VPN gateways are sized for office-scale traffic; when thousands of employees work from home, the gateway becomes a bottleneck
- Unnecessary inspection overhead: Microsoft 365 and Google Workspace traffic is encrypted end-to-end and already passes through Microsoft's or Google's security — routing it through corporate inspection adds overhead without adding security
- Upload saturation: a Zoom call uses 3 Mbps upload per participant; through a saturated VPN gateway, this upload traffic competes with everyone else's traffic
Services That Benefit Most from Split Tunneling
These SaaS platforms perform significantly better when exempt from VPN tunneling:
| Service | Traffic Type | Why Split Tunnel Helps |
|---|---|---|
| Zoom, Teams, Google Meet | Real-time UDP audio/video | Eliminates hair-pin latency; prevents jitter from gateway congestion; Microsoft and Zoom both recommend split tunnel for their services |
| Microsoft 365 (Exchange, SharePoint, OneDrive) | Mixed: email, real-time collaboration, file sync | Microsoft publishes the recommended IP ranges to exclude from VPN; documented in their remote work guidance |
| Slack, Discord | WebSocket + real-time messaging | Low latency needed for call quality; file uploads benefit from direct bandwidth |
| Salesforce, Workday, ServiceNow | HTTPS SaaS | All traffic is TLS-encrypted end-to-end; routing through corporate VPN adds no security benefit |
| GitHub, GitLab, Jira | HTTPS API and git traffic | Large repository clones and pushes benefit from direct connection speed |
Services That Should Stay in the VPN Tunnel
- Internal corporate resources: on-premises file servers, internal wikis, legacy applications, ERP systems that are not accessible from the public internet
- Corporate authentication servers (LDAP, RADIUS, on-premises Active Directory)
- Network printer access (if printing to office printers)
- RDP or VDI connections to physical office machines
- Regulated data systems that must remain inside the corporate security perimeter
How to Measure the Impact
Before asking IT to enable split tunneling, gather evidence to support the request:
- Run a speed test with VPN connected and record download, upload, and ping
- Run the same speed test with VPN disconnected and compare
- Use a tool like PingPlotter or MTR to measure latency to the VPN gateway and to a Zoom/Teams server — document the difference
- Record call quality metrics (Zoom shows network statistics during calls via Settings > Statistics; Teams shows connection quality in the call window)
- Note the time of day — VPN gateway congestion is worse during peak hours (9–11 AM, 1–3 PM in your company's time zone)
- Present the data: "VPN adds 45ms latency and reduces upload from 50 Mbps to 12 Mbps; this causes daily call quality issues" is a specific request that IT can act on
What to Ask IT
- Is split tunneling allowed under our security policy for my role and device enrollment status?
- Which corporate subnets and applications must stay inside the VPN?
- Is Microsoft 365 Optimize-category traffic already excluded from tunneling? (Microsoft documents these IP ranges specifically for this purpose)
- Is there a VPN gateway in my region — a nearby gateway reduces hair-pinning even in full-tunnel mode
- Can I be placed in a pilot group for split tunnel testing if a policy change is needed?
Frequently Asked Questions
What is split tunnel VPN?
Split tunneling sends only selected corporate traffic through the company VPN while other internet traffic takes your normal home connection directly. A subnet-based split tunnel (the most common type) routes traffic to your company's private IP address ranges through the VPN, while traffic to public internet destinations — Zoom, Google, news sites, personal email — bypasses the VPN entirely. The result is that work-only traffic is protected by the corporate security perimeter while public internet traffic is not burdened by VPN overhead.
Is split tunneling safe for work?
Yes, when configured correctly by IT. The security argument against split tunneling is that traffic leaving the VPN is not inspected by corporate firewalls. But most SaaS traffic (Microsoft 365, Zoom, Salesforce) is already end-to-end TLS encrypted — corporate inspection adds overhead without adding meaningful security. The risk is primarily for organizations that use corporate DLP (data loss prevention) tools that inspect outbound traffic; split tunnel bypasses that inspection. Never enable split tunneling yourself by changing VPN settings against IT policy — always work with IT.
Does split tunneling improve video calls?
Significantly in most cases. Zoom, Teams, and Google Meet use UDP-based real-time protocols that are extremely sensitive to latency and jitter. A VPN gateway that adds 40ms and introduces 5ms of jitter during congestion will cause choppy audio and frozen video. With split tunneling, call traffic takes the shortest path directly to Zoom's or Microsoft's servers, often reducing call latency by 30–60ms and eliminating gateway-related jitter entirely. Both Microsoft and Zoom officially recommend split tunnel configurations for their services in corporate remote work scenarios.
Can I set up split tunneling myself?
On corporate-managed devices, usually not — the VPN configuration is pushed by IT and locked. On personal devices accessing corporate resources, you may have more flexibility, but changing VPN routing settings unilaterally likely violates your company's acceptable use policy. The correct path is to document the problem with measurement data and request an IT-approved split tunnel configuration. If your company uses Cisco AnyConnect, GlobalProtect, or Palo Alto Prisma Access, IT can enable split tunnel configurations centrally without any change needed on your device.