Split tunneling is a VPN feature that lets you divide your internet traffic into two paths: some goes through the encrypted VPN tunnel, and the rest goes directly through your regular internet connection.
Without split tunneling, a VPN routes everything through the tunnel. Your banking app, Netflix, work email, gaming, and everything else all go through the VPN server. Split tunneling changes that on a per-app or per-website basis.
How split tunneling works
Your VPN app maintains a routing table that determines where each piece of traffic goes. With split tunneling enabled, you specify rules: “route this app through the VPN” or “route these IP addresses directly.”
Traffic that matches your rules goes through the VPN: encrypted, IP masked, routed through the VPN server. Everything else goes directly through your normal internet connection.
There are two modes most providers offer:
Inclusive split tunneling: Default is direct connection. Only the apps you specify go through the VPN. Good if you only want to protect specific things.
Exclusive split tunneling: Default is VPN. Only the apps you specify bypass the VPN. Good if you want most traffic protected but need certain apps to use your real IP.
When split tunneling is useful
Banking apps: Some banks flag logins from VPN IP addresses and add friction (extra verification, temporary freezes). Excluding your banking app from the VPN lets it use your real IP, avoiding this.
Local network access: When connected to a VPN, your local network (NAS, printer, smart home devices) may become inaccessible. Split tunneling with local network traffic excluded keeps your home devices accessible.
Streaming geo-access plus local content: Connect a streaming app to a foreign VPN server for geo-unblocked content, while keeping other apps on your local IP for local services.
Speed-sensitive applications: If you’re gaming or doing a large download and the VPN adds latency or reduces speed, excluding those applications keeps performance high while other traffic stays protected.
Work + personal: On a home device, route work apps through a corporate VPN and personal apps through a personal VPN or directly. Keeps work and personal traffic separated.
When split tunneling creates risk
You think you’re protected, but you’re not: If you set up split tunneling and forget about it, you may assume all traffic is going through the VPN when sensitive apps are excluded.
DNS leaks: Some split tunneling implementations send DNS queries for all traffic (including the non-VPN traffic) through the VPN’s DNS server. Others don’t. If the non-VPN traffic uses your ISP’s DNS, your ISP can still see which sites those apps are looking up.
IP correlation: If an adversary can see both your VPN IP (from VPN-routed traffic) and your real IP (from direct traffic), they can correlate the two to identify you. For most users this is theoretical. For high-risk users, full-tunnel VPN is safer.
Which VPNs support split tunneling
| VPN | Windows | macOS | Android | iOS |
|---|---|---|---|---|
| NordVPN | Yes | Yes | Yes | Limited |
| Surfshark | Yes | Yes | Yes | Limited |
| ProtonVPN | Yes | No | Yes | No |
| ExpressVPN | Yes | Yes | Yes | No |
| Mullvad | Yes | Yes | Yes | No |
iOS imposes significant limitations on split tunneling due to Apple’s VPN API restrictions. Most providers offer either no split tunneling or very limited functionality on iOS. Full split tunneling is primarily a Windows, macOS, and Android feature.
How to set up split tunneling on NordVPN
- Open the NordVPN app
- Go to Settings > VPN > Split Tunneling
- Toggle Split Tunneling on
- Choose “Apps” mode (exclude specific apps from VPN) or “Websites/IPs” mode
- Add the apps or addresses you want to exclude
For example: add your banking app and local network range (e.g., 192.168.1.0/24) to exclusions. Everything else goes through the VPN.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Split tunneling is useful for specific cases: banking apps, local network access, speed-sensitive applications. It's not something most users need to configure. If you do use it, be deliberate about what you exclude and check your DNS leak settings to avoid creating gaps in your protection. Full-tunnel VPN is the safer default for privacy-focused use.
Recipes that earn their setup time
Concrete configurations beat abstractions, so here are the four that cover most lives. The banking exemption: route your bank’s app outside the tunnel, since some banks challenge VPN IPs, and you’d rather keep the tunnel up for everything else than drop it for a balance check. The streaming split: TV apps inside the tunnel (the catalogs you VPN for), local catch-up TV outside it (which often blocks VPNs and needs none). The work split: corporate tools outside your personal tunnel where the company client handles them, everything personal inside. And the speed split for gamers: the game’s traffic outside (lowest ping wins), the launcher’s downloads inside (ISP throttling of big downloads is real and the tunnel hides them).
Each recipe is two minutes in the app’s split tunneling list, and each removes one recurring reason to disable the VPN entirely, which is the feature’s whole purpose: fewer exceptions, more uptime.
The leak surface honesty section
Split tunneling deliberately punches holes in the tunnel, and the holes behave like holes. Excluded apps expose your real IP by design; DNS handling for excluded traffic varies by implementation and deserves one leak-test pass after setup; and browser-based splits (extension routing some sites, app routing others) multiply the chances of a mismatched expectation. The rule that keeps it safe: split by app with the provider’s official feature, audit the exclusion list quarterly, and never exclude anything whose privacy actually matters to you. Convenience features make poor secrecy tools; used as convenience, with the kill switch guarding what remains inside, the trade is clean.
Platform support, honestly mapped
The feature’s availability is patchier than feature grids admit. Android (and Android TV) gets the gold standard: true per-app splitting in every major provider’s app. Windows matches it; macOS offers app-based splitting in some clients with platform-imposed quirks; iOS, by Apple’s rules, restricts real per-app splitting, so iPhone “splits” are mostly route-based approximations. Routers split by device instead of app, which for TVs and consoles is often the more useful axis anyway.
Check your specific platform’s support page before building a workflow around the feature; among our top scorers, NordVPN and Surfshark cover the widest platform spread for it. And wherever you land, re-run one leak test after configuring: the feature’s whole job is selective exposure, and verification confirms the selection matches your intent.
(If you remember one sentence: split tunneling is for convenience, the kill switch is for safety, and the apps that belong in the tunnel are the ones you’d mind a stranger reading. Configure to that standard and the feature serves you rather than surprising you.)
Worth one final example of the feature at its best: the traveler running hotel-booking research inside the tunnel for the pricing experiments our travel articles describe, while the airline’s own app stays outside it to keep check-in friction-free. Same phone, same minute, both behaviors correct.
Keep reading: What Is a VPN Kill Switch and Why You Need One and WireGuard vs OpenVPN: Which Protocol Should You Use in 2026?.