What Is Split Tunneling in a VPN? How It Works, When to Use It, and When to Avoid It

Most people assume a VPN works the same way for every connection: everything goes through the encrypted tunnel, all traffic is protected, end of story. Split tunneling challenges that assumption.

Split tunneling is a VPN feature that divides your internet traffic into two separate paths. Some traffic goes through the encrypted VPN tunnel. The rest connects directly to the internet without VPN protection. You choose which is which.

It sounds useful — and it can be. But the security trade-offs are real, and most users do not fully understand what they are giving up when they enable it. This article explains how split tunneling works, the three main types, when it makes sense, and when you should leave it disabled entirely.

How Split Tunneling Works

By default, a VPN routes 100% of your internet traffic through a single encrypted tunnel to a VPN server. That server forwards your requests to the sites and services you visit. Every app, every browser tab, every background process — it all goes through the VPN. This is called full tunneling.

Split tunneling breaks that model. Instead of routing everything through the VPN, it creates two parallel paths:

• VPN tunnel: Traffic you designate as sensitive or private travels encrypted through the VPN server. Websites and services see the VPN's IP address, not yours.
• Direct connection: Traffic you designate as low-sensitivity goes straight to the internet through your ISP — unencrypted, with your real IP address exposed.

You configure the rules in your VPN app's settings, usually by specifying which apps or websites should use the tunnel and which should bypass it.

The Three Types of Split Tunneling

App-Based Split Tunneling

The most common form. You select which applications route through the VPN and which do not. For example: your work email client and corporate file sync tool go through the VPN; your video streaming app and gaming platform bypass it for lower latency and better speeds.

This is the configuration most home users encounter. The risk: web browsers are the most common candidates for VPN bypass, but browsers handle both sensitive and non-sensitive traffic simultaneously. A single tab with your bank account and a tab with a news site may share the same browser process.

URL-Based Split Tunneling

More granular than app-based. You specify individual websites — a particular domain goes through the VPN, all others connect directly. This allows finer control but is significantly harder to configure correctly without creating security gaps.

A misconfiguration — specifying bank.com instead of *.bank.com, for example — can quietly route traffic you intended to protect through the unencrypted path instead.

Inverse Split Tunneling

The reverse of the default: instead of specifying what bypasses the VPN, you specify what goes through it. Everything else routes directly to the internet. This is useful for organizations that only need to protect access to a small set of internal resources while letting all other traffic flow freely — but it means the overwhelming majority of your traffic is unprotected.

Why People Use Split Tunneling

The appeal is practical. VPNs add encryption overhead, which introduces some latency. Routing 4K streaming video or competitive gaming traffic through a VPN server can noticeably affect performance — buffering, lag, dropped frames.

Split tunneling lets users get the security benefits of a VPN for sensitive activity while keeping high-bandwidth, low-sensitivity activity at full speed. Common use cases:

• Remote workers who need VPN access to company systems but do not want their personal streaming routed through the corporate VPN
• Travelers who want VPN protection for banking and work email but need local services (weather, maps, regional streaming) to function correctly based on their actual location
• Gamers who want to keep gaming traffic off the VPN entirely for minimum latency while protecting other traffic
• Households with bandwidth-limited VPN plans where routing everything through the VPN would exhaust data allowances faster

These are legitimate reasons. The question is whether the performance trade-off is worth the security trade-off — and for many use cases, the answer is no.

The Real Security Risks of Split Tunneling

Split tunneling does not make you less secure than using no VPN at all. But it creates specific, meaningful risks that full tunneling does not.

Unencrypted Traffic Is Exposed

Any traffic that bypasses the VPN travels with your real IP address over your ISP's network — visible to your ISP, to any network monitor between you and the destination, and to anyone performing a man-in-the-middle attack on the same Wi-Fi network. If you are on public Wi-Fi and split tunneling is enabled, everything outside the tunnel is as exposed as if you had no VPN at all.

DNS Leaks

Traffic that bypasses the VPN may also bypass your VPN's encrypted DNS resolver, sending DNS queries through your ISP's default DNS servers instead. This reveals which domains you are visiting to your ISP and any network observer — even if the actual connection to those sites is encrypted by HTTPS. A properly implemented split tunneling setup should enforce DNS through the VPN for all traffic, but many consumer implementations do not.

Mixing Sensitive and Non-Sensitive Traffic in the Same App

This is where most users get into trouble. If you configure your browser to bypass the VPN for speed, you have also configured your banking tab, your email login, and your health portal to bypass the VPN. Apps do not neatly separate sensitive and non-sensitive sessions. App-based split tunneling applies to the application as a whole, not to individual activities within it.

Malware Can Exit Through the Unprotected Path

Corporate security teams flag this specifically. If your device is infected with malware while split tunneling is active, the malware may communicate with command-and-control servers through the unencrypted direct path — completely invisible to corporate security monitoring that only watches VPN traffic. According to NordVPN's security analysis, this makes compromised devices a Trojan horse for broader network infiltration.

Configuration Errors Are Easy to Miss

Every rule you create in a split tunneling configuration is an opportunity for a mistake. An incorrect exclusion pattern, a missed app update that changes its network behavior, or a new service that routes through an already-excluded app can quietly move sensitive traffic outside the tunnel without any visible indication that protection has been lost.

When to Enable Split Tunneling

Split tunneling makes sense in a limited set of circumstances:

• You are a remote employee using a corporate VPN and want to keep personal streaming off the company network — and your personal device has its own separate VPN protection for non-corporate traffic
• You need to access a local printer or NAS device while also maintaining a VPN connection to a remote network, and the two are otherwise incompatible
• You are a developer or IT professional who understands exactly which traffic you are routing and what the exposure consequences are

When to Keep Split Tunneling Off

For most users, most of the time, split tunneling should be disabled. Keep it off when:

• You are on any public Wi-Fi network — coffee shops, hotels, airports, coworking spaces
• You are accessing banking, healthcare, legal, or any other sensitive accounts
• You are handling work files, client data, or anything subject to HIPAA, FERPA, or other compliance frameworks
• You are not certain you have configured the rules correctly
• You are a general user who just wants to be protected without managing exceptions

The performance trade-off is smaller than most people expect. Modern VPN protocols like WireGuard and AES-256-GCM encryption add minimal latency for typical browsing, email, and video call traffic. For the vast majority of everyday use, full tunneling is fast enough that split tunneling provides no meaningful benefit while introducing real risk.

Split Tunneling vs. Kill Switch

These two features are often confused but serve entirely different purposes.

A kill switch activates when your VPN connection drops unexpectedly — it cuts your internet access immediately, preventing your traffic from reverting to an unencrypted direct connection. It protects the continuity of your VPN protection during connection failures.

Split tunneling is a deliberate, persistent configuration choice. You choose in advance which traffic bypasses the VPN. The traffic that bypasses it does so by design, not because of a connection failure.

You can use both simultaneously, but understand what each one does: the kill switch protects you from accidental exposure during VPN interruptions; split tunneling is a deliberate choice to expose specific traffic permanently.

The Bottom Line

Split tunneling is a power-user feature that solves a specific problem: routing high-bandwidth, low-sensitivity traffic outside the VPN to preserve performance. In the right hands, configured correctly, for the right use cases, it is a legitimate tool.

For most people, it is not worth the trade-off. The performance gains are modest with a quality VPN, and the security gaps — unencrypted traffic on hostile networks, DNS leaks, misconfiguration risk, malware exit paths — are real. The safest default is full tunneling: everything through the VPN, all the time.

If you are looking for a VPN that gives you strong performance without the complexity of split tunneling configuration, CyberFence uses AES-256-GCM encryption with WireGuard-grade speed, a zero-logs policy, and a kill switch on all platforms. Try it free and see whether you notice the difference. For most users, you will not — and you will not need to configure anything.

For more on how VPN features work together, see our guides on the VPN kill switch, what a zero-logs policy actually means, and how much a VPN actually slows your connection.