What is split tunneling and when should you use it with your VPN?

Split tunneling graphic
(Image credit: NordVPN)

Fast, secure, unblocks everything! VPNs love to shout about their core features, but that means some very handy tools don't get the attention they deserve.

Take split tunneling, for instance. Despite being offered by the likes of ExpressVPN, NordVPN and Surfshark, it doesn't make the headlines on most VPN websites. Plus, the technical-sounding name could put off many users from exploring its abilities. Take a look at the details, though, and you'll find a useful feature that can fix several VPN issues and even accelerate your internet speeds. 

In this article we'll explain what split tunneling is, the problems it solves, when you should use it... and when you probably shouldn't.


Split tunneling: what is it and how does it work

Connect to a VPN and the service normally directs all internet traffic through its own encrypted connection - often known as a tunnel. 

The process of tunneling involves creating a secure connection (the VPN) for transferring data through an insecure environment (your regular internet connection.) It's called a tunnel because the data travels along your internet connection, but strong encryption protects its contents and no-one can see inside.

Split tunneling gives you more control over this process by enabling you to decide which app or website traffic is directed through the tunnel, and which passes through your regular internet connection.

It's a simple idea, but has several benefits (and a few complications, too.)

unblock websites

(Image credit: Shutterstock)

Split tunneling: the pros

Split tunneling is a convenient tool which could fix several VPN annoyances.

Some apps and websites don't work well with VPNs, for instance. Banking sites might complain if you're not in the location they expect; business networks can be more difficult to access; streaming platforms may block you or display different content if it looks like you're in another country.

Normally all you can do is disconnect, access the site or app you need, and reconnect to the VPN when you're done. But with split tunneling you can set a streaming service app (for example) to always use your regular connection, ensuring you'll never be blocked just because the VPN is active.

The feature can also allow you to access remote network devices such as printers or storage. Exclude them from the tunnel and they'll always be available, whatever's happening with the VPN.

Split tunneling can make a real difference with performance, too. If you only need the VPN for a couple of websites, why slow down streaming platforms by directing them through the tunnel? Use split tunneling to pass streams through your ISP's connection and you'll see the maximum possible speeds.

Split tunneling: the cons

Split tunneling saves you plenty of VPN-related time and hassle, but it also reduces your security. Every time you look at an app or a website and decide its traffic doesn't need to pass through the tunnel, you're taking a risk (even if only small) with your online privacy.

The problem is it's very difficult to know whether you're making the right decision. Even experts won't always have the information they need. 

For example, suppose most of the system is using your standard internet connection. You realize you're using a sensitive business app, though, so add that to the 'route through the VPN' list. Looks like you're now protected. 

But what if the app has more than one process running on your PC? What if, apart from the main app, there's a background service handling logons, checking network status, looking for updates? It could even more important that this process uses the tunnel, but there's no way to set that up if you don't know this traffic even exists.

The reality is you can take a guess at when an app needs to use the tunnel and when it doesn't. But it's still just a guess and there's no easy way to tell for sure.

Split tunneling graphic

(Image credit: ExpressVPN)

Should I use split tunneling?

If privacy is your absolute top priority, all of the time - e.g. you're a journalist in a repressive country, you're always accessing sensitive business resources, etc - then split tunneling is best avoided. The risks outweigh the benefits.

If anonymity isn't as vital, though, it's a different story - especially when there's no sensitive information involved.

If you're using your service as a streaming VPN, or is your means of reading a certain regionalized news site, routing that traffic through your standard connection makes a lot of sense. Hotspot operators might see you're accessing those pages, but do you care? Probably not.

Just keep in mind that there is a privacy risk, even if it's minimal, with every new split tunneling rule you add. If that's not your top priority and you're redirecting traffic for a simple game which doesn't need the VPN, it's probably not an issue. But there's a chance these tiny risks might build up into a real problem, so be cautious, and only use split tunneling with the bare minimum of apps.

Split tunneling on the CyberGhost Android app

(Image credit: CyberGhost)

How to use split tunneling

The first step in trying split tunneling is to make sure you're signed up with a VPN that offers it (ExpressVPN, NordVPN, Surfshark, Private Internet Access, CyberGhost, IPVanish, Hotspot Shield and others provide it in some form.) 

Keep in mind that providers have very different levels of support. IPVanish only has split tunneling in its Android and Amazon Fire TV VPN apps; ExpressVPN and NordVPN have it everywhere for apps; Hotspot Shield works for both apps and websites.

Once your VPN is installed, check the Settings box for relevant options. ExpressVPN's Windows app has 'Split tunneling' on the General tab, NordVPN's has a separate Split Tunneling section, and CyberGhost uses a different name ('Smart VPN') but it works in the same way.

You can usually hit an Add button and choose an app to exclude from the tunnel. To test this, add your browser, connect to a VPN server in another country, and use the browser to check your IP address and location at IPStack . If the browser shows your real IP address and location, it's not using the VPN, and split tunneling has worked. 

Using split tunneling on a browser long-term is a really bad idea, as this excludes all your websites from the VPN, so remove it from the list once you've proved the feature works. Then add a couple of apps or sites of your own, run a few tests, and confirm that whatever you're doing with the VPN, your apps now work exactly as you'd expect.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.

TOPICS