What Is VPN Split Tunneling?
Most travelers turn on their VPN and assume all traffic is equally protected — and equally slowed down. Split tunneling breaks that assumption in a useful way. It is a VPN feature that routes only selected apps or websites through the encrypted tunnel, while everything else connects directly through your regular internet connection. The result: targeted privacy where you need it, and full speed where you don't.
Think of it as a managed fork in the road. When you enable split tunneling on a VPN like NordVPN or ExpressVPN, your device maintains two simultaneous paths to the internet. Your banking app and messaging clients travel the encrypted, anonymized route through the VPN server. Your YouTube stream, game client, and local streaming service take the direct, low-latency path to the internet as if the VPN weren't running at all.
This is one of the most underused features in consumer VPNs. Most users leave it off because configuring it feels optional — but when you're traveling and relying on hotel Wi-Fi or a foreign SIM card, the speed and access benefits are significant enough to make setup worthwhile.
How Split Tunneling Actually Works
When your VPN client starts, it normally intercepts your device's entire network stack, wrapping all outbound traffic in an encrypted tunnel headed to a VPN server. Split tunneling changes the interception layer: instead of catching everything, the client applies rule-based routing that evaluates each connection before deciding which path it takes.
At the operating system level, this typically works through a combination of routing table modifications and a lightweight local DNS resolver. When an app opens a connection, the VPN client checks it against your configured rules — app name, domain, or IP range — and sends it down the appropriate path without noticeable delay. The VPN server only ever sees the traffic you've explicitly assigned to it.
For travelers, this has a practical implication that isn't immediately obvious: local network resources become accessible again. When running a full-tunnel VPN, your printer, NAS drive, or hotel's local streaming box may become unreachable because all traffic is routed off-device. With split tunneling, local subnet traffic goes direct while your sensitive connections remain protected.
The Three Types of Split Tunneling
App-Based Split Tunneling
The most common implementation. You assign specific applications to either the VPN path or the direct path. Your banking app, WhatsApp, and work email client get encrypted. Netflix, your game launcher, and your download manager get the direct connection. This is the easiest type to configure and covers most traveler use cases without over-engineering the setup.
The practical workflow: open your VPN app's split tunneling settings, add the apps that handle sensitive data to the VPN list, and leave everything else on direct. Changes take effect immediately without reconnecting.
URL and Domain-Based Split Tunneling
More granular than app-based. Instead of routing an entire application through VPN, you route specific domains. This means your browser can access a restricted news site or blocked social platform through the VPN while simultaneously loading YouTube at full ISP speed — all within the same browser session. The VPN client intercepts DNS queries and applies routing rules per domain.
This is particularly useful for travelers in countries with selective blocking. If Twitter is restricted but Google is not, you can route twitter.com through VPN and keep all Google services on a direct connection, avoiding unnecessary VPN overhead on traffic that doesn't need it.
IP-Range (Inverse) Split Tunneling
The most technical variant. Instead of specifying apps or domains, you define IP address ranges — CIDRs — that either route through or bypass the VPN. Enterprise users configure this to route corporate subnet traffic (10.x.x.x, 192.168.x.x) through VPN while everything else goes direct. For most individual travelers this is overkill, but some VPN clients expose it for power users who want precise control.
A related mode is inverse split tunneling (also called exclude mode): instead of defining what goes through the VPN, you define what bypasses it. Everything defaults to VPN-protected, and you punch specific holes for high-bandwidth or latency-sensitive traffic. This is a more security-conservative approach and the right choice when you want VPN-first behavior with surgical exceptions.
Speed Impact: Real Performance Numbers
The theoretical benefit of split tunneling is intuitive — fewer bytes through the VPN server means less overhead. But the actual numbers from February 2026 testing make the case more concretely. These measurements compare identical hardware and network conditions with and without split tunneling enabled, isolating VPN routing as the variable.
| Activity | Full Tunnel | Split Tunnel | Improvement |
|---|---|---|---|
| 4K YouTube streaming | 680 Mbps | 950 Mbps | +40% |
| Online gaming latency | 82 ms | 24 ms | 66% lower |
| File download speed | 620 Mbps | 945 Mbps | +52% |
| Local NAS / printer access | Unavailable | Full speed | Restored |
| VPN-protected app throughput | 940 Mbps | 940 Mbps | No change |
Newsletter
Get the latest SaaS reviews in your inbox
By subscribing, you agree to receive email updates. Unsubscribe any time. Privacy policy.
The last row is the important one. VPN-assigned traffic performs identically to full-tunnel mode — you lose nothing on the apps that need protection. The gains are entirely on traffic that was passing through the VPN unnecessarily. Across real-world mixed usage, correctly configured split tunneling improves overall perceived internet performance by 45–60% compared to running full-tunnel VPN.
Gaming latency is the most dramatic example. The 66% reduction from 82 ms to 24 ms is the difference between a playable and unplayable online session. This happens because gaming traffic no longer takes the detour through a VPN server that may be hundreds of miles away from the game server. For travelers playing games across time zones, this isn't a marginal improvement — it's the feature that makes gaming viable while abroad.
When Travelers Should Actually Use Split Tunneling
Accessing Restricted Apps Without Killing Your Stream
The most common travel scenario: you're in a country where WhatsApp calls, Signal, or certain news sites are blocked, but video streaming works fine. Without split tunneling, enabling your VPN to unblock those apps also routes Netflix and YouTube through a foreign VPN server, introducing buffering and quality drops. With split tunneling, you send the blocked apps through VPN and leave your streaming on direct — both work at full capacity simultaneously.
Secure Banking on Public Wi-Fi
Hotel and airport Wi-Fi are high-risk networks for credential interception. Split tunneling lets you keep your banking app, PayPal, and work email running through the encrypted VPN tunnel while browsing, streaming, and gaming bypass it. This is a better security posture than running no VPN (everything exposed) or full-tunnel VPN (everything protected but slow) — it's targeted protection where actual sensitive data lives.
Using Local Services While Abroad
Some local services actively block VPN connections, or they require your actual geographic location to function — food delivery apps, local transit apps, ride-sharing. With split tunneling, you send those apps direct (using your real local IP) while everything else routes through VPN. You don't have to toggle the VPN on and off manually every time you switch contexts.
Remote Work With Corporate Resources
If you're a traveler working remotely, your employer likely wants corporate app traffic through VPN while your personal browsing goes direct. Many enterprise setups enforce this at the firewall level, but consumer VPN users can replicate the same sensible separation themselves. Route your work email client, corporate file storage, and VPN-gated internal tools through the VPN; route everything else direct. Your employer's bandwidth costs go down, your personal stream goes faster, and sensitive work data stays encrypted.
Security Risks Worth Understanding
Split tunneling is not a universally safer configuration — it introduces a specific class of exposure that full-tunnel mode avoids. Any traffic you route outside the VPN tunnel is unencrypted and carries your real IP address. On a compromised or malicious network, that traffic is visible to the network operator and potentially to interceptors on the path.
The practical implication: be deliberate about what you leave on the direct path. Social media, streaming, and gaming are low-risk. Anything involving passwords, personal identification, or financial data should go through VPN. The mistake to avoid is adding apps to the bypass list for convenience without thinking through what data those apps transmit.
There are also compliance considerations. If you work in healthcare, finance, or any regulated industry with requirements like HIPAA or GDPR, routing work traffic outside an encrypted tunnel — even accidentally — can create compliance exposure. In those contexts, full-tunnel VPN is usually the professionally correct default, and split tunneling should only be enabled after confirming with your organization's IT policy.
Finally, DNS leaks are a real risk with poorly implemented split tunneling. If your VPN client routes app traffic through the tunnel but DNS queries for non-VPN apps still go through the encrypted resolver, you're exposing browsing intent to your ISP even for direct-connection traffic. Look for VPN clients that handle DNS routing correctly per-app, not just per-traffic-path. Mullvad has a reputation for watertight DNS handling in split tunneling configurations, which is one reason it's popular with privacy-focused users.
Which VPNs Support Split Tunneling — and How Well
Split tunneling support varies significantly in quality across VPN providers. Having the feature listed on a spec sheet is different from having a client that implements it cleanly across all platforms.
ExpressVPN offers app-based split tunneling on Windows, macOS, Android, and its router firmware — one of the more complete cross-platform implementations. The router firmware version is particularly useful for travelers who carry a travel router, letting them configure which devices on the router get VPN and which don't, all from a single interface.
NordVPN supports app-based split tunneling on Android and Windows. The Android implementation is straightforward: you enable the feature in the app settings and add apps to either the VPN or bypass list. The behavior is stable and doesn't require reconnecting after changing the list — changes apply immediately. Note that NordVPN's split tunneling on macOS has historically been more limited due to Apple's network extension restrictions.
Surfshark calls its split tunneling implementation "Bypasser" and offers both app-based and URL-based options on Android and Windows. The URL-based variant is genuinely useful — being able to route specific domains through or around the VPN at the browser level, rather than routing the entire browser application, gives travelers finer control without the complexity of IP-range configuration.
Private Internet Access offers split tunneling across Windows, macOS, Android, and Linux — broader platform coverage than most. For travelers using Linux-based laptops or devices, PIA is one of the few consumer VPNs with a functional Linux split tunneling implementation rather than a best-effort workaround.
On iOS, split tunneling remains a system-level limitation. Apple's VPN API does not expose the hooks needed for true per-app split tunneling, so iPhone and iPad users are generally limited to full-tunnel mode regardless of which VPN they use. This is a platform constraint, not a VPN provider failing — anyone promising per-app split tunneling on iOS should be viewed skeptically.
How to Set Up Split Tunneling: The Practical Steps
Step 1: Identify What Actually Needs VPN Protection
Before opening settings, make a list. Banking apps, messaging clients with sensitive conversations, corporate email, and any app accessing accounts that would be damaging to compromise — these go through VPN. Streaming services, games, podcast apps, podcast players, and anything where your real IP address is harmless — these go direct.
Step 2: Enable the Feature in Your VPN App
For most VPN clients the path is: open app → Settings → Split Tunneling (or "Bypasser" on Surfshark). Toggle the feature on. The interface will either show you a list of installed apps to categorize, or ask you to specify domains. Start conservative — if you're unsure, leave the app on VPN and only move it to direct if you notice a specific problem.
Step 3: Test Your Configuration
After setup, verify the configuration is working as expected. Open a browser with the VPN routing direct and check your IP — it should show your real IP, not the VPN server's. Open a VPN-routed app and check your IP from within that app — it should show the VPN server's IP. Tools like DNS leak test sites can confirm whether DNS queries are also being routed correctly. If you see your real IP leaking from an app that should be on VPN, recheck the app assignment and make sure the VPN client doesn't require a restart after configuration changes.
Step 4: Adjust as You Travel
Your ideal split tunneling configuration in one country may need adjustment in another. A country with aggressive traffic shaping may require routing more apps through VPN than a country with open internet. Think of it as a living configuration — set sensible defaults, then adjust when you notice friction. The goal is a setup that requires zero manual VPN toggling once it's dialed in.
The Bottom Line on Split Tunneling for Travelers
Split tunneling is not a power-user-only feature. It is the configuration that makes VPNs genuinely practical for daily travel use rather than a speed tax you toggle off when streaming becomes too painful. The 45–60% overall performance improvement documented in real testing is not a marketing figure — it represents traffic that was passing through VPN unnecessarily and can now take a faster path.
The right mental model: a full-tunnel VPN is a blunt instrument. It protects everything indiscriminately, including traffic that has no privacy need and pays a speed penalty for protection that provides no real benefit. Split tunneling is a sharp instrument. It requires you to think for ten minutes about what actually needs encryption, then rewards that thinking with a faster, more functional connection for the rest of your travel.
For most travelers, the setup is simple: put your banking app, messaging client, and anything work-related on VPN. Put everything else on direct. Verify the DNS handling is clean. Then forget about it. The VPN handles your sensitive traffic in the background while your streaming and gaming run at speeds that make it feel like the VPN isn't running at all — because for those apps, it isn't.
