Split tunneling with a VPN

What is VPN split tunneling and how does it work?

First things first: What is VPN tunneling?

Network tunneling is a fundamental security feature provided by Virtual Private Networks (VPNs) to securely transmit data from a user’s device to the VPN’s server.

To reroute internet traffic, a VPN first encrypts data on the user’s device before moving it through the VPN tunnel, exclusive for each user, to its own server where the IP address is replaced with the VPN’s own. Encryption and tunneling prevent external surveillance and interference in transit: data is effectively unreadable to outside observers.

With a VPN activated, all online activity is routed through the same network tunnel and server by default – this is full tunneling.

VPN split tunneling

VPN split tunneling defined A VPN configuration that routes only selected internet traffic through an encrypted tunnel, allowing the rest to connect directly via the ISP. Unlike full tunneling, split tunneling gives users control over which data is protected and which bypasses the VPN entirely.

Split tunneling is an additional feature for some VPNs that allows you to route only selected activity through the VPN, creating two simultaneous connections: one protected, one direct.

To appreciate the benefits of split tunneling, it helps to understand what a VPN’s IP masking) actually does. If the VPN server is in São Paolo, websites see a Brazilian IP address. That’s useful for hiding the origin of activity, but it’s less efficient for services that need to know the user’s real location.

What are the different types of VPN split tunneling?

VPN split tunneling can be configured in several ways depending on your needs.

App-based split tunneling

This is the most common option: you select specific applications to route through the VPN, while the rest connect directly to the public web. This is useful for apps requiring stronger security, such as a work email client. Multiple apps can be selected on a case-by-case basis to free up bandwidth and reduce load on the VPN server.

Inverse split tunneling

This option selects only specific applications to bypass the VPN, while the rest of internet traffic goes through it. It is useful when most data needs protection but certain apps require a direct ISP connection – for example, location-dependent apps like weather services, or streaming platforms that restrict VPN IP addresses.

Domain-specific split tunneling

Instead of configuring by app, you choose specific websites to route through the VPN, with all other domains using the open web. This is a streamlined approach for users who only need privacy for certain content. However, it is substantially less secure overall.

Dynamic split tunneling

More granular configurations allow users to include or exclude traffic based on DNS domain names. Security services may prefer to route unknown or suspicious domain requests through a specific server for enhanced scrutiny, while allowing other traffic to pass more efficiently.

What are the benefits of VPN split tunneling?

The main advantages of split tunneling come down to flexibility, performance, and user control.

Faster connections

VPNs function as proxy servers: before accessing a website, a user’s request must be encrypted, tunneled to the VPN, decrypted, and forwarded to the destination – before the response makes the same journey back.

With a quality VPN, latency is usually negligible for basic tasks. But with many simultaneous operations (downloads, streaming, multiple open tabs), routing everything through the VPN can slow connections noticeably. Split tunneling lets users assign VPN protection only where it’s needed, preserving speed elsewhere without toggling the VPN on and off each time.

Secure remote work connections

For users who need VPN protection primarily for work, split tunneling allows a company VPN to handle sensitive communications while personal traffic uses the local network directly. Important note: This still leaves non-work activity open to surveillance and cyber attacks.

Accessing foreign and local services simultaneously

If a VPN positions your location in Korea, a weather app returns Korean results for a user sitting in Chicago. Split tunneling lets location-dependent apps use the local network while other traffic passes securely through the VPN.

What are the security risks of VPN split tunneling?

Split tunneling has clear benefits. But choosing to let some traffic bypass the VPN means accepting exposure for that portion of activity.

Compromised data security

Split tunneling means only part of a user’s online activity is anonymous. Whatever bypasses the VPN can be compromised through external surveillance of your metadata, the exploitation of unencrypted sensitive information, or malicious cyber attacks.

The internet has some default encryption for secured sites, but the scope of mass surveillance is far broader than many users assume. Government surveillance programs revealed in the 2013 Snowden disclosures demonstrated mass metadata collection capabilities targeting millions of users.¹

Malware infections

A VPN can protect users against some cyber attacks, but it cannot protect against malware already on a device. Browsing with an exposed IP address and without encryption opens a user to exploitation through malware or spyware, including through accidental clicks on malicious links. Once malware is present, even data configured for VPN encryption can be compromised before the VPN can protect it. A 2017 CSIRO study of 283 Android VPN apps found 38% injected malware or tracking libraries into user traffic.²

Network management and security

In corporate or institutional networks, split tunneling can complicate security oversight. When some devices allow unencrypted access to the public internet, monitoring becomes more difficult. In settings where sensitive information is handled, this can carry financial and legal risks.

Configuration errors

The more complex the split tunneling setup, the greater the risk of misconfiguration. If users don’t define precise enough rules, sensitive data intended for the VPN can end up routing directly to the public internet.

Split tunneling on a centralized vs. decentralized VPN?

Users comparing VPNs will encounter two main types:

• Mainstream centralized VPNs rely on servers they own or rent, typically from the same service provider. Users must trust the VPN provider with their traffic, and centralized infrastructure creates a single point of vulnerability for data breaches.

• Decentralized VPNs (dVPNs) transmit traffic through a decentralized network of many unlinkable nodes. This design makes data breaches virtually impossible and traffic analysis exceedingly difficult.

Traditional centralized VPNs may offer faster speeds for all traffic – after all, one-hop is faster than many-hops by default. But that speed comes at the cost of a network more vulnerable to breaches, cyber attacks, and government pressure for user records.

➤ Learn more about the difference between centralized and decentralized VPNs in Nym’s cybersecurity guide.

Nym’s verdict: Split tunneling done right

If the question is framed purely in terms of split tunneling mechanics, then no: it functions the same way between traditional and decentralized VPNs. Split tunneling configurations are selective modifications of full tunneling: a user voluntarily creates exceptions to bypass the VPN’s security features. Whatever doesn’t go through the VPN is potentially vulnerable to surveillance, traffic analysis, and activity being linked back to you.

Real privacy is determined by the underlying architecture of the VPN network. Centralized one-hop servers are faster than multi-hop, dVPNs, but at the cost of a network more vulnerable to data breaches, cyber attacks, and government pressure for user records.

Choose the degree of your own privacy

Split tunneling is about user preference and choosing what traffic goes through a VPN. NymVPN offers users the choice between its Fast mode and a novel Anonymous mode for enhanced security. With split tunneling, users can assign genuinely sensitive traffic to Anonymous mode, everyday traffic to Fast mode, and latency-critical activity directly to the ISP – without compromising anonymity for performance.

VPN split tunneling gives users control over what gets protected, but the quality of that protection depends on the underlying VPN architecture. For users who need both flexibility and genuine privacy, NymVPN’s gives you control of the privacy protections and speed.

References

1. The Guardian (2013): The NSA Files
2. CSIRO/ICSI, UC Berkeley: An analysis of the privacy and security exposure of Android VPN applications (2017)