Split Tunneling Explained: Route Some Apps Through the VPN, Others Direct (2026)

Most people treat a VPN as all-or-nothing: either every app runs through the encrypted tunnel, or the VPN is off. Split tunneling is the middle path — it lets you send some traffic through the VPN while the rest uses your normal connection. Done well, it's genuinely useful; done carelessly, it quietly exposes traffic you assumed was protected. This guide explains how split tunneling works, the three types, when to use it, and the leak risks to watch.

What split tunneling is

A VPN normally captures all your device's traffic and routes it through an encrypted tunnel to a VPN server. Split tunneling changes that rule selectively: you decide which apps or destinations go through the tunnel and which bypass it to use your real, direct connection.

The benefit is flexibility. The catch, stated plainly: anything you route outside the tunnel is not protected — it travels over your normal connection with your real IP, visible to your ISP. Split tunneling is about applying that trade-off deliberately, not accidentally.

The three types

• App-based (most common). You choose which applications use the VPN and which skip it — e.g. browser through the VPN, banking app direct. NordVPN and most providers offer this on Windows, macOS and Android.
• URL/domain-based. Usually a browser extension: named sites go through (or around) the tunnel, the rest follow the default. Finer-grained for web use.
• Inverse split tunneling. Everything goes through the VPN by default except the apps or sites you explicitly exclude. This is the safer default, because any new app is protected automatically — you only ever open specific, deliberate holes.

Note: iOS rarely supports split tunneling because Apple's VPN APIs restrict it; it's mainly a desktop and Android feature.

Real use cases

• Keep local devices reachable. Route your traffic through the VPN but exclude your LAN so a printer, NAS or smart-home hub stays accessible.
• Bank direct, stream abroad. Many banks block or challenge VPN IPs. Send your streaming app through a foreign server while your banking app uses your real connection.
• Speed for heavy, non-sensitive traffic. Keep a large game download or backup off the tunnel so it doesn't pay the encryption/detour overhead.

The risk to watch: what leaks outside the tunnel

The whole danger of split tunneling is misjudging what to exclude. Exclude a browser "for speed," then use it for something sensitive, and you've sent that traffic in the clear with your real IP. Two safeguards:

1. Prefer inverse split tunneling on untrusted networks — protect everything, exclude only specific apps you're sure don't need privacy.
2. Pair it with a kill switch. A split-tunnel setup still benefits from a kill switch so that, if the VPN drops, the tunneled apps don't silently fall back to your real connection.

After configuring it, verify reality matches intent: run a DNS/IP leak test and confirm the apps you meant to protect show the VPN's IP — see how to check your VPN works and our complete VPN security audit.

The bottom line

Split tunneling turns the VPN from a blunt all-or-nothing switch into a precise tool: protect what matters, keep local devices and VPN-hostile services on your real connection, and spare bandwidth-heavy traffic the detour. Just respect the trade-off — excluded traffic is unprotected — favour inverse split tunneling on untrusted networks, and verify with a leak test that the apps you care about really are inside the tunnel.

Editorial guide based on how split tunneling works across major VPN clients (app-based, URL-based and inverse modes) and its documented platform limits (notably iOS). The commercial link carries the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.