Split Tunneling: Route Only Some Apps Through Your VPN
Key points
- Split tunneling routes chosen apps outside the VPN while everything else stays encrypted.
- Exclude mode fails safe because new apps stay protected by default; prefer it over include mode.
- Use it for bulky downloads, local printers, and services that block VPN addresses.
- Every excluded app exposes your real IP address, so keep the list short and review it monthly.
On this page
Most VPN apps make an all-or-nothing choice for you. Either every byte your device sends goes through the encrypted tunnel, or none of it does. That default is safe, but it is not always practical. Some apps need your real network, some traffic does not benefit from the tunnel, and some tasks slow down inside it.
Split tunneling removes the all-or-nothing limit. It lets you decide, app by app or site by site, which traffic travels through the VPN and which uses your normal connection. Done well, it gives you protection where it counts and full speed everywhere else.
This guide explains how split tunneling works, the two modes you will see in real apps, where it genuinely helps, and the risks you accept when you open a path around the tunnel.
What split tunneling is
A quick refresher helps here. As covered in our explainer on what a VPN does, a VPN normally captures all of your device's traffic, encrypts it, and routes it through a remote server. Split tunneling adds an exception list to that rule. Traffic on the list takes one path, and everything else takes the other.
The name describes the result: your connection is split into two lanes. One lane is the encrypted VPN tunnel. The other is your direct, ordinary internet connection, exactly as if the VPN were off for that specific traffic.
Support varies by platform. Desktop and Android apps usually offer full per-app splitting. iOS is more restricted, so VPN apps there often split by destination instead of by app. Router-level VPNs can split by device, sending the work laptop through the tunnel while the game console connects directly. Check what your platform supports before planning your setup around a feature it may not have.
How it works under the hood
Your operating system keeps a routing table, a set of rules that decides where each outgoing packet goes. A normal VPN connection rewrites that table so the tunnel catches everything. Split tunneling installs finer-grained rules instead. Packets from a chosen app, or packets headed to a chosen address, are matched and steered to the regular network interface. Everything else still defaults to the tunnel.
Because the rules act per packet, both lanes run at the same time. You can stream a video over your direct connection while your browser, in the same minute, works entirely inside the tunnel.
One detail trips people up: the rules apply to apps or destinations, not to tabs or accounts. If you exclude a browser, every tab in it bypasses the tunnel, including the ones you think of as sensitive. Routing decisions happen below the level your apps can see, which is why planning the split by whole programs is the only reliable way to reason about it.
The two modes: include and exclude
Apps present split tunneling in one of two directions, and the difference matters for safety.
| Mode | Rule | Default for new apps | Best for |
|---|---|---|---|
| Include mode | Only listed apps use the VPN | Unprotected | Protecting one or two sensitive apps |
| Exclude mode | Listed apps bypass the VPN, everything else is tunneled | Protected | Most people, most of the time |
Exclude mode fails safe. If you install a new app and forget to configure it, that app is protected by default. Include mode fails open: anything you forget runs outside the tunnel. Prefer exclude mode unless you have a specific reason not to.
When split tunneling genuinely helps
Speed for heavy, low-risk traffic
Game downloads, system updates, and large media files gain little from encryption to a remote server, and the detour costs throughput. Excluding them keeps your line at full speed, a trick we also recommend in our guide to improving your VPN speed.
Local devices and services
Printers, smart TVs, and file shares live on your home network. Full tunneling can make them unreachable. Excluding the apps that talk to them restores normal behavior.
Services that reject VPN traffic
Your bank or your employer's portal may block connections from data center addresses. Routing just that one app outside the tunnel avoids the block without dropping protection for everything else.
Region-sensitive apps
Sometimes you want one app to see your real location, for accurate local results, while the rest of your traffic exits through a different region. Choose your exit point from our server locations and exclude the local app.
The risks you accept
Every exclusion is a deliberate hole in your protection. Traffic in the bypass lane exposes your real IP address and is visible to your network operator, exactly as if you had no VPN. The risk grows when exclusions are broad, stale, or forgotten. A browser excluded for one errand last month is still excluded today.
There is also a subtle interaction with safety features. A kill switch typically guards only the tunneled lane, so excluded apps keep talking even when the VPN drops. Review how the two features combine in our kill switch guide before relying on both.
Finally, remember that the two lanes can be correlated. A website loaded outside the tunnel and a website loaded inside it can still belong to the same person from the point of view of anyone comparing timing and accounts. Split tunneling manages convenience and speed. It is not a tool for separating identities.
Common setups that work well
The traveler
Everything tunneled, no exceptions. On hotel and airport networks the direct lane has no advantages, so split tunneling stays off entirely. This is the simplest configuration and the right one for anyone who mostly worries about untrusted networks.
The home office
Everything tunneled except the apps that talk to local hardware: the printer utility, the network drive client, the smart home dashboard. Work traffic, browsing, and email all stay protected while the office equipment keeps working without friction.
The shared household
The VPN runs on a desktop that also downloads large game updates overnight. The game launcher is excluded so updates run at full line speed, while browsers and everything else stay inside the tunnel. One exclusion, clearly justified, reviewed now and then.
Tip: Audit your split tunneling list once a month. Remove every app you no longer need to exclude. The best exception list is a short one.
How to set it up safely
- Start with everything tunneled, then add exclusions one at a time as real needs appear.
- Prefer exclude mode so new apps are protected by default.
- Never exclude your main browser. Use a separate browser for the rare task that needs a direct connection.
- Keep DNS inside the tunnel if your app offers the option, so excluded apps reveal as little as possible.
- After each change, check your visible IP address from both an excluded app and a tunneled one to confirm the split works as intended.
If you are unsure whether a particular app is safe to exclude, err on the side of keeping it tunneled. The broader principles in our security guide apply here: protect by default, make exceptions consciously.
Split tunneling support is different on each platform
Before you plan around split tunneling, check whether your specific device actually supports it. The feature is not the same everywhere, and one of the most popular devices barely supports it at all. What works on your phone may not work on your laptop, so it helps to know the real picture for each platform.
- Android: strong built-in per-app control. You can pick exactly which apps use the vpn.now connection and which skip it, right in the app settings.
- Windows: many vpn.now style apps let you choose apps to include or exclude. Support is common, but it depends on the app you install, so confirm it is there.
- macOS: support is more limited and varies a lot from one app to another. Some apps offer it, some do not, so test before you rely on it.
- iPhone and iPad: Apple's system rules generally do not allow true per-app split tunneling. You usually cannot tell single apps to skip the VPN.
- Home router: you split by device, not by app. The whole laptop goes through the VPN while the whole smart TV stays off it, for example.
On iOS, plan for the limit instead of fighting it. Most people route by network, such as trusting their home Wi-Fi and using the VPN on public networks, or they simply toggle the VPN on and off when they need a certain app to connect directly. It is less precise than per-app control, but it works within the rules Apple sets.
The practical takeaway is simple. Do not assume a setup will work just because you saw it on another device. Confirm that your phone, computer, or router supports the kind of split tunneling you want first, and on iOS expect to route by network or toggle the VPN rather than picking single apps.
Summary
Split tunneling trades a little protection for a lot of flexibility, on your terms.
- It routes chosen apps or destinations outside the VPN while the rest stays encrypted.
- Exclude mode fails safe and suits most people better than include mode.
- Use it for bulky low-risk downloads, local devices, and services that block VPN addresses.
- Every exclusion exposes your real IP address for that traffic.
- Keep the exception list short and review it regularly.
