By default, a VPN sends all your traffic through the encrypted tunnel. Every app, every website, every connection goes through the VPN server. That gives maximum privacy, but it is not always what you want. Sometimes you need the VPN for some tasks and your normal connection for others. Split tunneling lets you choose.
Split tunneling divides your traffic into two paths: one through the VPN, one through your normal connection. You might route only your browser through the VPN while your smart home app, local file server, or banking app uses your direct connection. Or you might do the opposite: include only specific apps in the VPN and leave everything else on your normal path. The feature goes by different names — per-app VPN, selective routing, split tunnel — but the concept is the same: selective encryption based on your rules.
The feature is useful for several reasons. Banking apps sometimes flag or block VPN traffic; excluding them avoids false fraud alerts. Local network devices (printers, NAS, smart home) may not be reachable when all traffic goes through the VPN. Video calls and gaming often benefit from lower latency on the direct path. Split tunneling lets you optimize for each use case. Remote workers who need to access both corporate resources (through a work VPN) and personal browsing (through a personal VPN) sometimes use split tunneling to keep the two separate.
There are tradeoffs. Any traffic you exclude from the VPN is not encrypted by the VPN and will use your real IP. Your ISP and local network can see it. You should only exclude apps or routes you are comfortable exposing. This guide explains how split tunneling works, when to use it, and what to watch out for. We also cover platform support, DNS implications, and how to verify your configuration does not leak.
Split tunneling is a power-user feature. Most users should leave it off and use full tunneling for maximum protection. But when you have a specific need — a banking app that blocks VPNs, a printer that becomes unreachable, or a game that needs the lowest possible latency — split tunneling gives you control. The key is to exclude only what you must and to understand that excluded traffic is exposed. We walk through the configuration steps and the security implications so you can make an informed choice.
Looking for a reliable VPN?
KloxVPN — from $2.83/month. Apps for every device.
How Split Tunneling Works
Normally, a VPN routes all traffic from your device through the VPN server. With split tunneling, you define rules: for example, only browser and streaming app traffic goes through the VPN, while your smart home app and local file server use the direct connection.
The VPN client applies routing rules at the network layer. When an app sends traffic, the client checks whether it matches your split-tunnel rules. If it does, the traffic goes through the VPN; if not, it uses your normal default route. The rules can be based on applications (app-based) or on destinations (route-based). The implementation varies by platform: on Windows and Linux, the VPN may modify routing tables; on Android, it may use the per-app VPN API; on iOS, options are more limited.
App-based split tunneling is common on desktop and mobile. You select which apps use the VPN — either an include list (only these apps use the VPN) or an exclude list (all apps except these use the VPN). Route-based split tunneling uses IP ranges or domains. For example, you might exclude 192.168.0.0/16 so all local network traffic bypasses the VPN. Some VPNs offer both; others offer only one. Check your app settings to see what is available. The routing decision happens per packet; there is no performance penalty for having split-tunnel rules. The VPN client intercepts outbound traffic and routes it based on your configuration.
App-Based vs Route-Based
App-based split tunneling (common on mobile and desktop clients) lets you pick which applications use the VPN. Route-based split tunneling uses IP ranges or domains to decide what goes through the tunnel. App-based is simpler for most users; route-based gives finer control for advanced use cases.
Include vs Exclude Mode
Include mode means only the apps or routes you list use the VPN; everything else goes direct. Exclude mode means everything uses the VPN except what you list. Include mode is useful when you want the VPN for a few specific apps; exclude mode when you want the VPN for most traffic but need to bypass it for local devices or banking.
Platform Differences
Split tunneling support varies by platform. Desktop VPNs often offer both app-based and route-based options. Mobile apps may offer app-based only, and some platforms restrict what VPN apps can do. Check your VPN's documentation for your specific device.
Implementation Details
The VPN client modifies routing tables or uses platform-specific APIs (e.g. Android's per-app VPN) to direct traffic. The implementation must correctly handle DNS: if an excluded app resolves domains, those DNS queries may go to your ISP unless the VPN also handles DNS routing carefully.
Verifying Your Configuration
After configuring split tunneling, run a DNS leak test to ensure excluded apps are not causing unintended leaks. Some VPNs route DNS for all apps through the tunnel regardless of split-tunnel rules; others do not. Verify your provider's behavior.
Include vs Exclude: Which to Use
Use exclude mode when you want the VPN for most traffic but need to bypass it for a few apps (e.g. banking, local devices). Use include mode when you want the VPN for only a few apps (e.g. streaming) and everything else on your direct connection. Exclude mode is generally safer: you default to protection and make explicit exceptions. Include mode means most traffic is exposed unless you add it to the list.
When to Use Split Tunneling
Use it when you need the VPN for some tasks but not others: for example, routing only streaming traffic through the VPN while keeping gaming or video calls on your local connection for lower latency. Some users exclude banking apps from the VPN to avoid triggering fraud checks.
Banking and financial apps are a common use case. Many banks flag or block VPN traffic because it can indicate fraud or location spoofing. Excluding your banking app from the VPN avoids false positives and keeps your account in good standing. The tradeoff: your banking traffic uses your real IP. For most users that is acceptable. Some banks may even require that you use your "home" connection for certain operations; split tunneling makes that possible without disconnecting the VPN entirely.
Local network access is another common reason. When all traffic goes through the VPN, your device may not be able to reach your printer, NAS, or smart home devices on the local network. Split tunneling lets you exclude local traffic so those devices remain accessible. You can typically exclude the 192.168.x.x and 10.x.x.x ranges to achieve this. Without this exclusion, you might find yourself disconnecting the VPN whenever you need to print or access a local file share — which defeats the purpose of an always-on VPN.
Banking and Financial Apps
Banks often block or flag VPN traffic. Excluding your banking app avoids login failures and fraud alerts. Your banking traffic will use your real IP; if you are comfortable with that, split tunneling improves compatibility.
Local Network Devices
Printers, NAS, smart home devices, and other local resources may not work when all traffic goes through the VPN. Excluding local IP ranges (e.g. 192.168.0.0/16) keeps them accessible while the rest of your traffic stays protected.
Gaming and Video Calls
Gaming and video calls benefit from low latency. Routing them through the VPN can add delay. Some users exclude these apps to get the best performance. The tradeoff: your real IP is visible to game servers and call participants.
Streaming and Geo-Unblocking
You might want the VPN only for streaming (to access region-locked content) while keeping other traffic on your direct connection. Include-mode split tunneling can route only your streaming app through the VPN.
Work and Personal VPN Coexistence
If you use a work VPN for corporate resources and a personal VPN for privacy, they can conflict. Split tunneling can help: exclude work apps from the personal VPN so they use the work VPN, or vice versa. The exact setup depends on your employer policy and how the two VPNs are configured. Some users run only the personal VPN with work apps excluded when not accessing corporate resources.
Security Considerations
Any traffic excluded from the VPN is not encrypted by the VPN and will use your real IP. Only exclude apps or routes you are comfortable exposing to your ISP and local network.
Your ISP can see excluded traffic: which sites you visit, when you connect, and metadata about your activity. On a shared or public network, other users could potentially intercept unencrypted traffic from excluded apps. HTTPS protects the content of web traffic, but the destination and timing are still visible.
Do not exclude apps you do not trust. If an app is excluded, its traffic goes over your real connection. Malware or poorly written apps could leak data. When in doubt, use full tunneling (no split) for maximum protection.
What Gets Exposed
Excluded traffic uses your real IP and is not encrypted by the VPN. Your ISP sees it. On local networks, other devices may see it. HTTPS still encrypts web content, but metadata (destinations, timing) can be observed.
When to Avoid Split Tunneling
If you use the VPN specifically for privacy — to hide from your ISP or on public WiFi — excluding traffic undermines that goal. For maximum privacy, use full tunneling. Split tunneling is a convenience feature; use it only when the benefits outweigh the privacy tradeoff.
DNS Considerations
Excluded apps may still use your system DNS, which could go to your ISP. A VPN with DNS leak protection typically forces DNS through the tunnel; with split tunneling, excluded apps might bypass that. Check how your VPN handles DNS for excluded traffic.
Best Practices
Exclude only what you need. Prefer exclude lists (VPN for most, bypass for specific apps) over include lists when possible, so you default to protection. Regularly review your split-tunnel rules and remove exclusions you no longer need.
Split Tunneling and Kill Switch
If you use split tunneling with a kill switch, the kill switch typically blocks all traffic when the VPN drops — including traffic that would normally be excluded. The kill switch is a safety net: when the VPN is down, nothing leaves your device. When the VPN is up, split-tunnel rules apply. Some implementations may differ; check your provider documentation. The combination of split tunneling and kill switch gives you selective routing when connected and full protection when disconnected.
Summary and Key Takeaways
Split tunneling lets you route only selected traffic through the VPN while the rest uses your normal connection. Use it for banking apps that block VPNs, local network devices like printers and NAS, or gaming and video calls where you want lower latency. The tradeoff: excluded traffic uses your real IP and is not encrypted by the VPN.
Default to full tunneling for maximum privacy. Enable split tunneling only when you have a specific need. Exclude the minimum necessary — one or two apps or local IP ranges — and review your rules periodically. Run a DNS leak test after configuring split tunneling to ensure you are not leaking DNS from excluded apps.
KloxVPN supports split tunneling on supported platforms. Desktop typically offers both app-based and route-based options; mobile may have restrictions. Check your app settings and verify platform support before relying on split tunneling for your use case.
When to Use
Banking apps, local devices, gaming, video calls. Only when you have a concrete need.
When to Avoid
When you want maximum privacy. Excluded traffic is exposed. Default to full tunneling.
Configuration Workflow
Identify the specific app or route you need to exclude. Add it to your split-tunnel list. Test that the excluded app works and that the rest of your traffic still goes through the VPN. Run a DNS leak test. Remove exclusions you no longer need. Keep the exclude list minimal.
Key Takeaways
Split tunneling gives you control over which traffic uses the VPN and which uses your normal connection. It is useful for banking apps, local network access, gaming, and video calls — situations where the VPN can cause compatibility or performance issues.
The tradeoff is privacy: excluded traffic uses your real IP and is not encrypted by the VPN. Only exclude what you need, and only for apps you trust. When in doubt, use full tunneling for maximum protection.
KloxVPN supports split tunneling on supported platforms. Check your app settings to configure include or exclude lists. Use it when the benefits outweigh the privacy tradeoff; otherwise, leave it off and let all traffic flow through the VPN.
Platform support varies. Desktop VPNs typically offer both app-based and route-based split tunneling. Mobile may have restrictions due to OS limitations. Android's per-app VPN feature enables app-based control; iOS is more limited. If split tunneling is important for your use case, verify that your VPN supports it on your device before subscribing. Run a DNS leak test after configuring split tunneling to ensure excluded apps are not causing unintended leaks.
Review your split-tunnel rules periodically. Apps you excluded months ago may no longer need exclusion. The fewer apps outside the VPN, the better your privacy. A quarterly review takes only a few minutes and keeps your configuration aligned with your current needs. When you add a new app that might need exclusion (e.g. a new banking app), add it to your list and test. When you stop using an app, remove it from the exclude list so its traffic goes back through the VPN. Split tunneling is a tool; use it deliberately and sparingly.
When you first enable split tunneling, start with a single exclusion. Add your banking app or local network range, test that it works, then run a DNS leak test. If the test passes, add more exclusions only if needed. Building the list incrementally reduces the chance of misconfiguration. If you exclude too much at once, you may not notice a leak until later. Some users find that excluding only the banking app is enough; others need local network access for printers and NAS. Your needs determine the list. Keep it as short as possible.
KloxVPN supports split tunneling on desktop and mobile where the platform allows. Check your app settings for include or exclude lists. Start with full tunneling; add split tunneling only when you have identified a concrete need. The default should always favor privacy. Excluded traffic is a conscious tradeoff — make it deliberately and document why.
Related Resources
Frequently Asked Questions
KloxVPN Team
Experts in VPN infrastructure, network security, and online privacy. The KloxVPN team has been building and operating VPN services since 2019, providing consumer and white-label VPN solutions to thousands of users worldwide.