What is split tunneling?

Put simply, split tunneling is routing some of your data through an encrypted VPN connection, while allowing other apps and data direct access to the internet. It’s mostly relevant for remote access-type VPNs (probably like your work from home set up) where your computer is connected directly to a remote network at your office.

We use the term remote access here to distinguish between this type of connection and site-to-site VPNs, where network devices are connecting directly to each other.

All VPN types are a network “tunnel”. Say your computer has a packet that it wants to send to a remote device. Without a VPN, it will send that packet out into the network and let it hop from device to device until it reaches the destination. But with a VPN, the packet is sent first in encrypted form to a VPN termination point. The original packet is extracted and decrypted, and sent along its way to the ultimate destination, looking like it had only gone one hop instead of the dozens of hops an encrypted packet will actually travel. Without a VPN, that packet would have taken a different, more direct path to the destination.

A diagram of split tunnel traffic

Split VPN tunnel traffic

We call this a tunnel because the original packet is encrypted and hidden from view as it crosses the internet to get to the VPN host. The VPN software encrypts the original packet and puts a new packet header on it. Then it sends this new packet to the remote VPN host. The VPN host pulls the new header off the packet and decrypts the original packet. Then it forwards the packet along to its original destination.

A data packet vs. an encrypted VPN data packet.

What are the different types of split tunneling?

Beside the standard method explained above, there are three general variants when it comes to split tunneling:

  1. Inverse split tunneling. In a normal situation, only specified data is routed through your VPN, like data bound for sensitive internal destinations. With inverse tunneling, it’s the exact opposite: all data is sent through the tunnel, except the specific sources (like web browsing) you identify to be routed directly to the internet.
  2. Dynamic split tunneling. While traditional split tunneling relies on ACLs to decide traffic that’s included or not in the tunnel, dynamic split tunneling enhances that by using a DNS protocol to decide what traffic/protocols and domains are included or not.
  3. Dual-stack networking (unintended split tunneling). Less an option and more a situation to be aware of: If you are running VPN and able to access both IPv4 and IPv6 addresses from your connection, it’s common that your IPv6 data could be going out unencrypted. Make sure your VPN supports both!

The pros of split tunneling: speed and performance

One of the major advantages to split tunneling is it represents the best of both worlds: the speed and performance of an unencrypted link, but the data security when and where you need it.

Think of the alternative— if everything has to pass through the VPN tunnel. Though your connection to the server inside your corporate network must use the VPN just to get access, your web browsing and online banking really don’t. And if you’re streaming a movie or taking part in a video conference, then that’s potentially a lot of packets getting encrypted and sent through the VPN.

That’s a big detour for packets that are heading back out to the public internet. And it’s a detour that probably means packets having nothing to do with the corporate network are traversing that same corporate internet link twice—it’s slower, it causes congestion, and it’s a nightmare for your network monitoring solution to have to parse.

The other big disadvantage to tunneling everything is it prevents your computer from talking to your printer or other local devices. If you try to print, the packets get encrypted and forwarded out of your local network, off to a remote network that doesn’t know how to reach your printer.

Split tunneling was invented largely to solve these problems. It lets VPN users direct their non-corporate traffic out to the internet without involving the corporate links or equipment.

The cons of split tunneling: security compromises

There are some compelling security reasons why many companies prefer to accept that performance hit of driving everything through their VPN connection. Namely, if all of that user-to-internet traffic has to pass through the corporate VPN host, then it can be subjected to the same security scrutiny as it would be if the user were on site (in the office). Known bad sites on the internet can be blocked, either for content (appropriate use) or security reasons (malware sites, etc.).

If the corporate VPN redirects internet traffic through a central point, then it can also redirect that traffic through system security devices such as intrusion prevention devices (IPS) for do deep packet inspection to look for malicious content. Because very few end-users have the same level of security infrastructure on their home networks, forcing all of that traffic through the corporate infrastructure essentially places your home network behind the corporate perimeter, which is likely safer.

Or maybe you aren’t on your home network. You might be on a public Wi-Fi network in a cafe or hotel. In these cases, other devices on the local network should be treated as hostile by default. They could be snooping on your traffic and trying to break into your computer over local protocols. In these situations, it makes a lot of sense to encrypt everything and send it to a central VPN host before forwarding it out to the internet.

But the biggest reason that IT security people cite for disabling split tunneling is a little more subtle. Suppose your computer has become infected with some sort of malware. A typical pattern for attacks against corporate infrastructure is to first compromise an end-user’s computer. From there, they exploit any trust relationships associated with that computer. They can also snoop on things that you might type, like user IDs and passwords.

Exploiting this kind of vulnerability requires that the attacker has access to your computer while your computer has access to the corporate network. With split tunneling disabled, the corporate security infrastructure has a chance to intercept the attacker’s command and control traffic.

So for this reason, split tunneling is considered less secure.

What’s different about VPN services?

Some commercial VPN services, like NordVPN and TunnelBear, do include split tunneling options. These work slightly differently than what I have described above. Instead of exempting specific destination IP addresses from the protection of encryption and tunneling, these services generally exempt specific applications.

These services usually provide a way to set up an exclusion list: a set of applications that will not go through the VPN (everything else is tunneled by default), or an inclusion list: a set of applications that will only go through the VPN (everything else is exempted from the tunnel by default). Since you probably aren’t aware of every application on your device, it’s usually best to list only those applications that you want to bypass the tunnel. That way, everything else will be encrypted.

So, for example, if you were traveling and wanted to use the same applications that you use at home, you’d want to ensure that those applications pass through the VPN service. This way, the servers for those applications would think that you’re at home and work normally. However, you might need to use some locally relevant applications that only work in the country where you currently are. In this case, you could exempt those local applications from the VPN service. However, as before, the lack of encryption means that split tunneling is somewhat less secure for those applications that are exempted from the tunnel.

VPN system monitoring

VPN monitoring, as the name suggests, is the application of network performance monitoring to a VPN connection. With many employees working remotely now and into the future, VPN connections have become commonplace. But so has the need to monitor their behavior. In particular, measuring and monitoring the connectivity, throughput, and latency of your VPN.

Solutions like Auvik can be tailored to VPN connections that are either split tunneled or not. You can customize Auvik to focus on just the types of traffic you know are included in your VPN, while ignoring the data you know to be unimportant to monitor.

Some of the most common issues you might encounter when monitoring your VPN sessions are:

Errors in setup. VPN connections may be new to a lot of your employees. Making sure you can quickly diagnose and solve common connectivity issues will come in handy.

Capacity and licensing. VPN connections are typically handled through firewalls, which require you to purchase licenses for the number of connections you will use. Auvik can quickly and easily monitor the number of active VPN sessions across your network and sites.

Performance. Most hardware has a practical limit of how many users or VPN sessions it can handle. Auvik’s device monitoring can offer valuable insight into which of your components is near (or over) its limits with four pre-configured alerts:

  1. The number of SSL VPN sessions has maxed out.
  2. There’s a high number of SSL VPN sessions in use.
  3. There’s a low number of available SSL VPN sessions.
  4. There’s a high percentage of SSL VPN sessions in use.

Performance can also be affected by a number of other measurable factors, like the overall age of your equipment, VPN misconfigurations, or capacity bottlenecks. Here, device performance monitoring is going to provide valuable insights into what may be contributing to slower performance.

To split tunnel or not to split tunnel?

The decision on whether to split tunnel VPN traffic or not depends a lot on your organizational risk tolerance and your complementary security tools. For example, if you have excellent endpoint security software on your device that can apply similar protection to what you can do with your corporate security perimeter, that may be good enough. In that case, you only really need to tunnel the traffic that has to go to your corporate network.

Similarly, if you use a cloud-based web proxy that sends all your browsing traffic through an internet-based service directly from the workstation, split tunneling is almost as secure as being physically inside the corporate network. That combination of good endpoint security software on your devices, and cloud-based web proxy services, makes split tunneling a safe option.

When making your decision, I’d encourage you to look for reasons to enable split tunnel VPN, rather than looking for reasons not to.

Kevin Dooley

About Kevin Dooley

Kevin has 15+ years of experience as a network engineer. He has designed and implemented several of the largest and most sophisticated enterprise data networks in Canada and written several highly regarded books on networking for O'Reilly and Associates, including Designing Large-Scale LANs and Cisco IOS Cookbook. Kevin holds a Ph.D. in theoretical physics and numerous industry certifications.

3 comments on “The Pros and Cons of VPN Split Tunneling”

  1. Glenn Lindsey says:

    I’m a newbie studying cybersecurity. This article/blog post has been very helpful. Thanks

  2. VPN says:

    It’s great that you are sharing useful information. I enjoy reading your blog.
    David, author, and owner of the blog https://vpnheroes.com/

  3. Robert says:

    If I do split tunneling for Plex so I can access my server remotely, am I still secure as if I wasn’t?

Leave a comment

Got something to say? Name and email are required, but don't worry, we won't publish your email address.