Imagine you are working from home, connected to your VPN for security. You need to access a work database, but you also want to stream music, print to your home printer, and check your bank account — all at the same time. With a standard VPN connection, all of that traffic gets routed through the VPN tunnel, which can slow things down, block local devices, or prevent access to certain services. This is exactly the problem that VPN split tunneling solves. It is a feature that gives you control over which traffic goes through the VPN and which does not — and once you understand how it works, you will wonder how you ever managed without it.
This article contains affiliate links.
What Is Split Tunneling? A Simple Explanation
Two lanes on one highway
Split tunneling is a VPN feature that lets you choose which apps, websites, or types of internet traffic travel through the encrypted VPN tunnel and which connect directly to the internet as they normally would. Think of it like having two lanes on a highway: one is a secure, private tunnel, and the other is the regular open road. You decide which of your data takes which route.
Without split tunneling, a VPN works in “full tunnel” mode. This means every single piece of data leaving your device — whether it is a sensitive work email or a casual search for dinner recipes — passes through the VPN server. That is great for maximum privacy, but it is not always practical or necessary. With split tunneling enabled, you get to be selective. You might route your web browser through the VPN for private browsing while letting your smart home app communicate directly with local devices. It is about flexibility and efficiency, not about compromising your security.
How it works behind the scenes
When you enable split tunneling, your VPN client adjusts your device’s routing table — a set of directions your device uses to figure out where to send data. Normally, the VPN overwrites this table so everything goes through the tunnel. With split tunneling, the routing table is modified to allow certain traffic to take the direct path to the internet while the rest continues through the VPN. This all happens in the background. You do not need to manually edit routing tables or deal with complicated networking commands. Modern VPN apps like NordVPN handle it with simple toggle switches and app selection menus.
Types of Split Tunneling
App-based split tunneling
This is the most common type and the one you will find in NordVPN’s desktop and Android apps. You choose specific applications that should use the VPN or bypass it. For example, you might route your web browser and email client through the VPN for privacy while letting your gaming client, Spotify, or video conferencing app connect directly for better speed. This approach is straightforward — you see a list of installed apps and simply toggle each one to go through or around the VPN.
URL or website-based split tunneling
Some VPNs let you specify certain websites or domains that should go through the VPN while everything else connects normally, or vice versa. This is typically handled through a browser extension rather than the main VPN app. It gives you more granular control than app-based tunneling because you can protect certain websites (like your bank) while letting others (like a local news site) connect directly. NordVPN’s browser extension offers this type of control for Chrome and Firefox users.
Inverse split tunneling
Instead of choosing which apps go through the VPN, you choose which apps should bypass it. Everything else stays protected by default. This is often the more security-conscious approach because your default state is protected — you only make exceptions for specific apps that need a direct connection. If you are unsure which approach to use, inverse split tunneling is generally the safer choice because it keeps you protected unless you explicitly choose otherwise.
Comparison of split tunneling types
| Type | How It Works | Best For | Security Level |
|---|---|---|---|
| App-based | Select specific apps to route through VPN | Remote work, gaming, streaming | Good (you choose what is protected) |
| URL/Website-based | Select specific websites via browser extension | Protecting banking sites while browsing locally | Good (granular website control) |
| Inverse | Everything through VPN except selected apps | Maximum security with specific exceptions | Best (protected by default) |
| Full tunnel (no split) | All traffic through VPN | Public Wi-Fi, maximum privacy | Maximum (everything encrypted) |
When Should You Use VPN Split Tunneling?
Working from home or remote work
This is one of the most common use cases. Many employers require you to connect to a corporate VPN to access internal resources like company databases, intranets, or secure file servers. But when all your traffic goes through the corporate VPN, personal tasks — like streaming music, browsing social media during a break, or using your home printer — can be slow, blocked, or monitored by your employer’s network. With split tunneling, you can route only work-related apps through the corporate VPN while keeping personal browsing on your regular connection. This keeps your work secure without sacrificing speed or privacy for personal use.
Accessing local network devices
Have you ever connected to a VPN and suddenly could not access your home printer, a NAS (network-attached storage) drive, or a Chromecast? That happens because the VPN redirects all your traffic to a remote server, effectively cutting your device off from the local network. Split tunneling solves this by letting you exclude local network traffic from the VPN. Your secure browsing still goes through the tunnel, but your device can simultaneously communicate with other devices on your home network — printers, smart speakers, media servers, and anything else on your local network.
Preserving bandwidth and speed
VPNs add overhead to your connection. Your data has to be encrypted, sent to a VPN server (which might be in another country), decrypted, and then forwarded to its destination — and the whole process reverses on the way back. This inevitably adds some latency and can reduce your speeds. If you are doing something bandwidth-intensive that does not require VPN protection — like downloading a large game update from a trusted platform or streaming from a service that works fine on your regular connection — split tunneling lets that traffic flow directly while your sensitive browsing stays encrypted.
Online banking and local services
Some banks and financial services flag or block VPN connections because they see traffic coming from an unusual location. If your VPN is connected to a server in another country, your bank might think your account is being accessed from abroad and lock you out or trigger extra security checks. Split tunneling lets you exclude your banking app or website from the VPN so it uses your real, local IP address. This prevents triggering fraud detection while the rest of your internet activity remains encrypted and private.
Gaming with low latency
Online gaming is very sensitive to latency (the delay between your action and the server’s response). Even a small increase in latency can affect your gaming experience, especially in competitive multiplayer games. If you do not need VPN protection for your gaming traffic specifically, you can use split tunneling to route your game directly to the internet while keeping your browser and other apps protected through the VPN. This gives you the lowest possible latency for gaming while maintaining privacy for everything else.
When Should You NOT Use Split Tunneling?
On public or untrusted Wi-Fi networks
When you are connected to public Wi-Fi — at a cafe, airport, hotel, or any other shared network — split tunneling is generally not recommended. On these networks, any traffic that bypasses the VPN is exposed to potential interception by other users on the same network. The whole point of using a VPN on public Wi-Fi is to encrypt everything, so creating exceptions defeats the purpose. On untrusted networks, use full tunnel mode to keep all your traffic encrypted.
When handling highly sensitive data
If you are working with confidential business documents, medical records, financial data, or any other highly sensitive information, it is safer to keep the VPN in full tunnel mode. Split tunneling creates the possibility — however small — of accidentally routing sensitive traffic through the unprotected path. When the stakes are high, the simplicity and certainty of full encryption is worth the minor speed trade-off.
If you are not sure which apps need protection
If you are new to VPNs or not confident about which apps should be protected and which can safely bypass the VPN, stick with full tunnel mode until you have a clear understanding of your needs. Split tunneling is a tool for people who know what they want to protect. Using it without understanding what you are exposing could leave you less secure than you think.
How to Set Up Split Tunneling in NordVPN
On Windows
Setting up split tunneling in NordVPN on Windows is straightforward. Open the NordVPN app and go to Settings by clicking the gear icon. Look for the Split Tunneling option under the VPN section. Toggle it on, and you will see two choices: you can select apps that should use the VPN (app-based) or select apps that should bypass the VPN (inverse). Click “Add apps” to browse your installed applications and select the ones you want to configure. Once you have made your selections, connect to a NordVPN server and your split tunneling rules will take effect immediately.
On Android
On Android, NordVPN offers split tunneling through its app settings. Open the NordVPN app, tap the profile icon, then go to Settings and VPN. You will find the Split Tunneling option, which NordVPN labels as “Split tunneling” in its Android app. Enable it and choose which apps should bypass the VPN. The apps you select will connect directly to the internet, while everything else remains encrypted through the VPN tunnel. This is particularly useful on Android because many apps — like local delivery services, smart home controllers, or banking apps — work better with a direct connection.
On macOS
NordVPN offers split tunneling on macOS through its app settings. The process is similar to Windows: open Settings, find Split Tunneling, and configure which apps should go through or bypass the VPN. Note that macOS has some system-level restrictions that can affect how split tunneling works with certain apps. If you encounter issues, NordVPN’s support documentation provides specific troubleshooting steps for macOS users.
Using the browser extension
For website-level control, install the NordVPN browser extension for Chrome or Firefox. The extension lets you manage VPN protection on a per-website basis directly from your browser toolbar. You can add specific websites to a bypass list so they connect directly, while all other browsing goes through the VPN. This is useful when you want most of your browsing encrypted but need specific local websites (like your bank or a local service) to see your real IP address.
Split Tunneling Setup Recommendations by Use Case
Best configurations for common scenarios
| Scenario | Through VPN | Bypass VPN | Tunneling Type |
|---|---|---|---|
| Remote work | Work apps, email, browser | Spotify, printer, smart home | App-based |
| Gaming + browsing | Browser, email, messaging | Game client, voice chat | App-based |
| Streaming + banking | Browser, streaming app | Banking app | Inverse (bypass banking only) |
| Developer / testing | Personal browser, email | Local dev server, testing tools | App-based |
| Smart home user | Everything | Smart home controller, Chromecast | Inverse |
| Public Wi-Fi | Everything | Nothing | Full tunnel (no split) |
Split Tunneling and VPN Speed: What to Expect
How much faster is split tunneling?
The speed improvement from split tunneling depends on what you are routing outside the VPN. For apps that are bandwidth-intensive and connect to nearby servers — like local streaming services, game downloads, or large file transfers from trusted sources — you may see your speed return to nearly your full unprotected connection speed for those specific apps. The traffic that still goes through the VPN will perform as it normally would with VPN encryption overhead (typically 5-15% speed reduction with NordLynx protocol).
Speed comparison: full tunnel vs split tunneling
| Activity | Full Tunnel Speed | Split Tunnel Speed (bypassed) | Difference |
|---|---|---|---|
| Web browsing (through VPN) | 90-95% of base speed | 90-95% of base speed | Same (still through VPN) |
| Local network printing | Often blocked | Full speed, works normally | Functionality restored |
| Game download (bypassed) | 85-90% of base speed | 100% of base speed | 10-15% faster |
| Video call (bypassed) | Good quality | Best quality, lowest latency | Lower latency |
| Banking app (bypassed) | May be blocked | Works normally | Access restored |
Split Tunneling for Specific Activities
Remote work and corporate VPNs
Many remote workers face a frustrating situation: their company requires a corporate VPN for accessing internal resources, but the corporate VPN routes all traffic through the company’s network — including personal browsing, music streaming, and video calls. This means your employer’s network administrators can potentially see all of your internet activity, and everything runs slower because it passes through the company’s servers first. NordVPN’s split tunneling lets you take a different approach if you use a personal VPN alongside your work setup. You can route your personal browser and apps through NordVPN for privacy while letting your work applications (like Slack, Microsoft Teams, or your company’s intranet) connect through the corporate VPN or directly to corporate resources. This separation keeps your work traffic compliant with company policies while protecting your personal privacy.
Streaming and entertainment
Split tunneling is particularly useful for managing streaming services. You might want to route your streaming app through the VPN to access your home content library while traveling, but at the same time, you want your local food delivery app to use your real location so it works correctly. Or you might be at home and want to stream music directly (for the best audio quality and lowest latency) while keeping your web browser routed through the VPN for private browsing. With app-based split tunneling, you configure each app once and the VPN remembers your preferences for every future session.
Smart home device management
Smart home devices — like Philips Hue lights, Ring doorbells, Sonos speakers, and robotic vacuums — rely on local network communication to function properly. When a VPN routes all traffic through a remote server, these devices often become unreachable because the VPN prevents your phone from communicating with devices on the same local network. Split tunneling solves this by letting you exclude your smart home management apps (like the Philips Hue app, Ring app, or Google Home app) from the VPN. These apps communicate freely with your local devices while everything else stays encrypted.
Software development and testing
Developers often need to run local servers, access databases, and test applications on their local network while simultaneously browsing the web securely. A VPN in full tunnel mode can interfere with localhost connections, Docker containers, local development servers, and API testing tools. Split tunneling lets developers exclude their development tools (like VS Code, terminal applications, database management tools, and browser instances pointed at localhost) from the VPN while keeping their general browsing, communication tools, and code repository access encrypted through the tunnel.
Video conferencing and voice calls
Video calls on platforms like Zoom, Google Meet, and Microsoft Teams are sensitive to latency and bandwidth. While a VPN adds minimal overhead with modern protocols like NordLynx, every millisecond matters for real-time communication — especially if you are already on a slower connection. If you are not on a public network and do not need the VPN’s encryption for your video call specifically, you can use split tunneling to route your conferencing app directly to the internet while keeping your browser and other apps protected. This gives you the best possible call quality alongside encrypted browsing.
Split Tunneling on Different VPN Providers
How the top providers compare
| Feature | NordVPN | ExpressVPN | Surfshark |
|---|---|---|---|
| App-based split tunneling | ✅ Windows, Android, macOS | ✅ Windows, Mac, Android | ✅ Windows, Android |
| Inverse split tunneling | ✅ | ✅ | ✅ (Bypasser) |
| Website-based (browser) | ✅ Browser extension | ✅ Browser extension | ✅ Browser extension |
| iOS support | ❌ (Apple restriction) | ❌ (Apple restriction) | ❌ (Apple restriction) |
| Linux support | ✅ (CLI) | ✅ | ❌ |
| Router-level split tunneling | ✅ (via compatible routers) | ✅ (Aircove router) | ✅ (via compatible routers) |
| Ease of setup | Very easy (toggle interface) | Very easy | Easy |
Common Problems and Troubleshooting
App not following split tunneling rules
If an app does not seem to respect your split tunneling settings, try closing and reopening the app after enabling split tunneling. Some apps cache their network connections and will not pick up the new routing rules until they are restarted. If the problem persists, disconnect and reconnect the VPN — this forces the routing table to refresh. On Windows, some system-level apps may not work with split tunneling due to how they handle network connections at a low level.
Local devices not accessible despite bypass settings
If you have configured split tunneling but still cannot access local network devices like printers or NAS drives, make sure you have allowed LAN (Local Area Network) access in your VPN settings. NordVPN has a separate setting for this — look for “Allow LAN access” or “Invisibility on LAN” in the app’s settings. This setting needs to be enabled for your device to communicate with other devices on the same network while the VPN is active.
DNS leaks with split tunneling
One potential concern with split tunneling is DNS leaks — where your DNS queries (the requests that translate website names into IP addresses) go through your ISP’s DNS servers instead of the VPN’s private DNS servers, potentially revealing which websites you visit. NordVPN handles this by routing all DNS queries through its private DNS servers regardless of your split tunneling configuration. This means that even traffic that bypasses the VPN tunnel still uses NordVPN’s DNS servers, providing a consistent layer of privacy for your browsing activity.
Split tunneling not available on iOS
Apple’s iOS does not allow third-party VPN apps to implement split tunneling at the app level due to system restrictions. If you use an iPhone or iPad and need split-tunneling-like functionality, you have two options: use NordVPN’s browser extension in Safari or another browser for website-level control, or configure split tunneling on your home router so that specific devices or traffic types bypass the VPN at the network level rather than the app level.
Frequently Asked Questions
Is split tunneling less secure than a full VPN connection?
Any traffic that bypasses the VPN is not encrypted by the VPN, so technically, yes — those specific connections are less protected than they would be in full tunnel mode. However, split tunneling does not weaken the protection on the traffic that does go through the VPN. It is about making informed choices: you decide what needs encryption and what can safely connect directly. When used thoughtfully, split tunneling gives you a practical balance between security and functionality without compromising the protection on your sensitive traffic.
Does split tunneling work with the Kill Switch?
Yes, but with an important distinction. NordVPN’s Kill Switch blocks internet access for apps routed through the VPN if the VPN connection drops. Apps that you have configured to bypass the VPN through split tunneling will continue to work normally even if the VPN disconnects, because they were never using the VPN tunnel in the first place. This is actually useful — if the VPN drops, your banking app (if bypassed) continues to work, while your browser (if routed through the VPN) is blocked until the VPN reconnects, preventing accidental exposure.
Can I use split tunneling and Threat Protection at the same time?
Yes. NordVPN’s Threat Protection Pro feature works independently of split tunneling. It blocks malicious websites, ads, and trackers for all your traffic regardless of whether it goes through the VPN tunnel or bypasses it. This means that even apps you have configured to bypass the VPN still benefit from Threat Protection’s ad and malware blocking capabilities.
Does split tunneling use more battery on mobile devices?
Split tunneling has minimal impact on battery life compared to a full VPN connection. In fact, it may slightly reduce battery consumption because less of your traffic is being encrypted and routed through the VPN server. The difference is typically negligible, but on older devices with limited battery, every bit helps.
Can I use split tunneling with NordVPN’s Meshnet feature?
Yes, split tunneling and Meshnet can work together. Meshnet creates encrypted connections between your own devices for peer-to-peer file sharing, remote access, and traffic routing. You can configure split tunneling to route certain apps through the VPN while using Meshnet for device-to-device communication. For example, you might route your browser through a VPN server for privacy while using Meshnet to access files on your home computer from your office laptop.
What happens to split tunneling settings when I switch VPN servers?
Your split tunneling configuration persists when you switch between VPN servers. The rules you set — which apps go through the VPN and which bypass it — are tied to the VPN client’s settings, not to a specific server. This means you can switch from a US server to a UK server without reconfiguring your split tunneling rules. The same apps will continue to be routed or bypassed according to your settings.
Security Considerations for Split Tunneling
Understanding the risks
When you use split tunneling, any traffic that bypasses the VPN is not encrypted by the VPN. This means that data from bypassed apps travels over the internet in the same way it would without a VPN — protected only by the app’s own encryption (like HTTPS for websites) and the security of your network. On your home network, this is generally fine for trusted apps like banking (which has its own strong encryption) or smart home devices (which communicate locally). But if you are on an untrusted network like public Wi-Fi, bypassed traffic is exposed to potential interception. The key rule is: use split tunneling on trusted networks and full tunnel mode on untrusted ones.
Preventing accidental data exposure
One risk of split tunneling is that you might forget which apps are bypassing the VPN and accidentally perform sensitive activities on an unprotected connection. To minimize this risk, use inverse split tunneling (where everything goes through the VPN by default) rather than app-based tunneling (where you manually choose what to protect). With inverse mode, only the specific apps you have explicitly excluded will bypass the VPN — everything else remains encrypted. Also, periodically review your split tunneling settings to make sure they still match your needs. Apps update, habits change, and settings you configured months ago may no longer be appropriate.
IP address consistency
When split tunneling is active, different apps on your device may appear to come from different IP addresses. Apps going through the VPN show the VPN server’s IP address, while bypassed apps show your real IP address. In most cases, this is fine and even desirable (like letting your bank see your real IP to avoid fraud alerts). However, be aware that this means websites and services accessed through bypassed apps can see your real IP address and approximate location. If privacy is your primary concern for a particular app, make sure it is routed through the VPN, not bypassed.
Split tunneling and torrenting
If you download files via peer-to-peer (P2P) protocols, you should always route your torrent client through the VPN — never bypass it with split tunneling. P2P connections expose your IP address directly to other peers in the network, and without VPN protection, your real IP address is visible to everyone sharing the same files. NordVPN has dedicated P2P-optimized servers that provide fast download speeds with full encryption. Configure your torrent client to always go through the VPN, even if you use split tunneling for other apps.
Conclusion
VPN split tunneling is a powerful feature that gives you the flexibility to decide exactly which traffic gets VPN protection and which connects directly. For remote workers who need to balance corporate VPN requirements with personal browsing, gamers who want low latency alongside encrypted web activity, or anyone who needs to access local network devices while staying protected online, split tunneling is the solution. NordVPN offers intuitive split tunneling on Windows, Android, and macOS, making it easy to configure in minutes. Set your rules once, and the VPN handles the routing automatically from that point on — giving you the perfect balance of security, speed, and functionality.
