Working online today means juggling security, speed, and convenience, and sometimes your VPN can get in the way. Maybe you’re using your company’s VPN to access a critical spreadsheet, but while trying to stream a video tutorial, the playback keeps buffering. Or maybe your printer won’t connect unless you disable the VPN altogether. But what do you do, disable the secure VPN while handling sensitive data? 

This is where VPN split tunneling comes in. It gives you more control, so you can stay secure and keep things running smoothly. In this guide, we will walk you through how split tunneling works and when to use it safely.

Key Takeaways

  • Split tunneling lets you choose which apps use your VPN and which are routed directly through the internet, improving speed and flexibility while still protecting sensitive traffic.
  • The biggest risk of VPN split tunneling is misconfiguration. Excluding the wrong apps or browsing outside the tunnel can expose sensitive data or bypass corporate security.
  • Split tunneling can create vulnerabilities, such as DNS leaks, exposure to insecure public Wi-Fi, and malware communication that evades security or corporate monitoring, if traffic is routed outside the tunnel.
  • Use a secure-by-default approach whenever possible, tunneling all sensitive apps such as work, banking, email, and excluding only low-risk activities like streaming or gaming.
  • Keep your layers of protection strong. Enabling MFA, update your VPN client regularly, test for IP or DNS leaks after configuration changes, and use comprehensive security software to catch threats to your VPN.

What is VPN Split Tunneling?

Let’s start with the basics: a virtual private network. A VPN creates a secure, encrypted tunnel between your device and a remote server, shielding your online activity from your internet service provider, cybercriminals on public Wi‑Fi, and other potential eavesdroppers. This full-tunnel VPN protects all your traffic flows for maximum privacy. Split tunneling takes this idea and gives you more control.

So what is split tunneling? VPN split tunneling lets you choose which apps or websites go through your encrypted VPN connection and which ones connect directly to the internet, instead of sending everything through the VPN. It’s a bit like choosing which items go into a locked safe versus which ones can stay in your backpack.

You might split your online tasks between sensitive tasks and everyday activities and choose to access sensitive resources through your VPN (like your bank account) while bypassing the VPN for your everyday activities (like watching videos).

How Split Tunneling Works

With split tunneling enabled, your device sends traffic down two paths at the same time:

  • Protected through the VPN: Work apps, banking, email, company resources, anything that should stay encrypted.
  • Direct to the internet: Activities that don’t need VPN protection, such as streaming, gaming, or connecting to local devices like printers and smart home systems.

Split Tunneling vs Full Tunnel VPN

A full‑tunnel VPN routes all of your internet traffic through the encrypted VPN server, offering maximum security, while a split-tunnel VPN protects the apps you choose while allowing the rest to connect directly to the internet.

Full‑Tunnel VPN

Split‑Tunnel VPN

Encrypts all traffic

Encrypts only the traffic you choose

Offers comprehensive protection

Improves speed and performance for low‑risk activities

May slow down high‑bandwidth activities like streaming or gaming

Provides flexibility but requires careful configuration to avoid exposing sensitive data

Best for sensitive work, travel, and public Wi‑Fi.

Best for speed‑heavy tasks, smart devices, and everyday browsing.

Why Use VPN Split Tunneling?

When you push all of your internet traffic through a VPN, the VPN server can sometimes slow things down considerably, especially when multitasking or running bandwidth-heavy activities like video streaming or gaming.

Split tunneling has become very popular with over 1.75 billion global VPN users, because it offers practical benefits: performance and flexibility. 

  • Performance and Speed Benefits: You can still enjoy the extra security while reducing latency and unnecessary bandwidth bottlenecks. Stream video, download files, or game without routing everything through a busy VPN server.
  • Compatibility With Local Devices: Printers, smart TVs, or smart home devices on your home network may not work properly when all your traffic runs through a VPN server that is hundreds or thousands of miles away. Split tunneling helps them work normally.
  • Benefits for Remote Work and Shared Bandwidth: For remote workers in shared households or limited-bandwidth environments, split tunneling has become especially valuable, preventing the VPN from becoming a bottleneck when several people are online. 

The approach acknowledges that different types of data carry different levels of risk and deserve correspondingly different levels of protection.

Types of Split Tunneling

Depending on your VPN provider and device, you may use any of the split-tunneling options listed below. 

Application-Based Split Tunneling

Standard split tunneling lets you choose which apps and services use the VPN’s encrypted tunnel and which use the regular internet connection, hence the term “splitting” your internet traffic into two paths.

For instance, your access to sensitive files on your company’s internal network absolutely should go through the VPN for security. When streaming a podcast in the background, you may bypass the VPN and run at full speed through the regular internet connection.

Inverse Split Tunneling

Inverse split tunneling reverses this process by allowing you to decide what should bypass the VPN, while everything else defaults to the secure tunnel. This option is growing popular within modern Zero Trust architectures, where the default assumption is that all traffic should be protected unless explicitly excluded.

IP or URL-based Split Tunneling

IP or URL-based split tunneling routes traffic based on website addresses, domains, or network destinations that you specify. This method is common in corporate environments, where IT teams configure VPNs to automatically secure traffic to business systems while allowing general internet browsing to connect directly. It offers precise control at the network level, but it can be harder for everyday users to configure correctly. If misconfigured, sensitive web traffic may accidentally bypass the VPN, so it’s typically best managed by experienced administrators.

Split Tunneling May Create Vulnerabilities Risks and Vulnerabilities of Split Tunneling

Split tunneling is powerful, but misconfiguration can expose sensitive data or create gaps in corporate security. If the wrong app bypasses the VPN, it may leak data or connect to unsafe networks.

The boundary between protected and unprotected traffic also becomes a potential attack point, especially for malware, DNS leaks, or unsecured public Wi‑Fi. A compromised device can become a bridge between secure and insecure networks.

In a full-tunnel VPN, if malware infects your device while you’re browsing the web, its attempts to connect to its server must also go through the VPN. This is beneficial because your company’s security systems, including firewalls, intrusion detection systems, and threat monitoring, can detect suspicious traffic and block it. 

With split tunneling, where you might have configured your web browser to bypass the VPN, that same malware can communicate with its controllers over your unencrypted home internet connection and evade your corporate security protections.

Real-World Incidents Caused by Misconfiguration

Several recent cases show what can go wrong:

In May 2024, security researchers disclosed TunnelVision, a VPN bypass technique that exploited split-tunnel configurations to intercept user traffic. Attackers masqueraded as legitimate VPN servers, successfully infiltrating corporate networks.

In another incident in early 2024, a major VPN provider discovered a critical issue with its Windows split-tunneling feature. When users enabled split tunneling in the “Only allow selected apps to use the VPN” mode, DNS requests that reveal which websites you’re visiting leaked outside the encrypted tunnel. Instead of being routed through the VPN provider’s private DNS servers, these queries were sent directly to users’ internet service providers, exposing their browsing habits. This flaw had existed since May 2022, potentially affecting users for nearly two years before being discovered. 

These incidents underline why careful setup and regular updates matter.

Common Attack Techniques

Some specific attack methods are effective at targeting split-tunnel configurations. 

  • Man in the middle attacks: In man-in-the-middle attacks on public Wi-Fi, a cybercriminal on the same coffee shop network as you can intercept the unencrypted traffic you’ve excluded from your VPN, while your work traffic remains protected.
  • Configuration errors: Maybe you set your web browser to bypass the VPN for faster streaming, only to forget that you use the same browser to access your company’s web-based applications. Or perhaps you excluded your entire home network to access your printer, creating a pathway that malware could exploit.
  • DNS leaks: As demonstrated by the incident above, DNS leaks are a persistent concern with split tunneling. Even when your application data flows through the VPN, the DNS queries may reveal your browsing patterns to your ISP or anyone monitoring your network.
  • Ransomware exposure: In 2024, Coalition revealed that 58% of ransomware incidents stemmed from compromised VPN or firewall devices. While not all of these involve split tunneling specifically, the pattern is clear: VPN misconfigurations such as poorly managed split tunneling may increase risk.

How to Use Split Tunneling Safely

These practical guidelines will help you decide when to enable split tunneling and how to configure it without exposing yourself to risk.

When to Avoid Split Tunneling Entirely

Sometimes the smartest choice is simply to use a full-tunnel VPN, especially if you work with genuinely sensitive information, including financial data, healthcare records, legal documents, and proprietary business information. Organizations subject to compliance frameworks, including NIST SP 800-171 or the Cybersecurity Maturity Model Certification, often explicitly prohibit split tunneling for devices that handle controlled unclassified information. If your employer has a VPN policy, it is best to follow it.

The Safe Configuration Checklist

When you do use split tunneling, follow these rules to minimize risk:

  • Always protect sensitive applications: Banking apps, work email, document collaboration tools, and anything accessing company resources must go through the VPN. Never exclude these applications for the sake of speed.
  • Use inverse split tunneling when possible: Instead of specifying what should use the VPN, specify the few that can bypass it, usually just streaming services and gaming. This secure-by-default approach ensures that only the traffic you’re comfortable exposing bypasses the VPN.
  • Exclude only truly low-risk traffic: Entertainment or music streaming and online gaming are generally safe to exclude from your VPN. Social media might be acceptable depending on your risk tolerance. Be honest about your actual usage of these apps. If you check work messages on Messenger, don’t exclude Facebook.
  • Keep split-tunnel rules simple: The more complex your configuration is, the more likely you are to make a mistake. A good rule of thumb: if you can’t explain your split-tunneling setup to a friend in one minute, it’s probably too complicated.
  • Review your configuration regularly: Set a quarterly reminder to review which apps you’ve excluded from your VPN and ask yourself if those choices still make sense.

Platform-Specific Recommendations

Split tunneling doesn’t work exactly the same way on every device. Its implementation and risks can vary depending on your operating system and whether you’re using a personal or corporate-managed device. 

  • For Windows: Some VPN split-tunneling implementations on Windows have historically had issues, including DNS leaks. Make sure your VPN software is fully updated, and consider using DNS leak test tools periodically to verify your configuration is working as intended.
  • For mobile devices: Mobile apps often run in the background and update automatically, potentially creating security gaps you’re not aware of. If you enable split tunneling on mobile, be extra conservative about which apps you exclude.
  • For corporate devices: If your employer provides your device, don’t modify VPN settings without explicit permission. Your company may have remote monitoring configured, and unauthorized changes could violate your acceptable use policy.

Complement Split Tunneling with Other Protections

Split tunneling shouldn’t be your only security layer. Combine it with these additional protections:

  • Enable multi-factor authentication on important accounts: Even if an attacker intercepts your credentials through a split-tunnel vulnerability, MFA provides a crucial second line of defense.
  • Use a comprehensive security suite: Modern endpoint protection platforms can detect malware that is attempting to exploit split-tunnel configurations. McAfee+, for example, offers real-time threat detection, safe browsing tools, and identity monitoring that work with your VPN. 
  • Keep everything up to date: Enable automatic updates for your operating system, VPN client, and all applications. Many VPN vulnerabilities can be patched quickly, but only if users install the updates.
  • Use strong, unique passwords managed by a password manager. This reduces the damage if credentials get exposed through a VPN vulnerability.

When Working Remotely

On untrusted networks, such as coffee shops, airports, or hotels, consider using full-tunnel VPN mode, even if it means slower performance, especially when accessing company resources. Public Wi-Fi networks are inherently risky, and split tunneling on them creates additional exposure. 

If you must use split tunneling while traveling, at a minimum, ensure that your web browser and all work-related applications are routed through the VPN. Exclude only entertainment streaming or other clearly personal, non-sensitive activities.

How to Test Your Configuration

Once you’ve configured split tunneling, verify it’s working as intended. Visit a “What is my IP?” website with different applications to confirm which are using the VPN and which aren’t. For the apps you’ve tunneled through your VPN, the displayed IP address should be your VPN server’s IP address, not your actual IP address. For excluded apps, your real IP should appear. Run these tests periodically to catch configuration drift or unexpected changes after software updates.

Final Thoughts

In this guide, we underscored three critical points: First, split tunneling is powerful but not foolproof and requires thoughtful configuration. Second, even reputable VPN providers can have vulnerabilities, making it essential to know their limitations and to keep your VPN software updated. Third, the risks vary dramatically depending on how you use split tunneling; routing streaming video around your VPN is very different from excluding business-critical applications.

For individual users, the practical takeaway is simple: split tunneling is a tool, not a silver bullet. Used wisely and correctly, it offers performance benefits while keeping your sensitive data secure.

As we move forward, split tunneling will continue to evolve alongside broader changes in network security. This approach acknowledges that perfect security is difficult to attain, but layered defenses, such as McAfee+, can make attacks significantly harder to execute. And remember, security isn’t a one-time configuration. It’s an ongoing practice.