Split tunneling is a concept used with VPN technology, particularly for remote access VPNs.

A VPN is a network “tunnel.” Your computer has a packet it wants to send to some remote device. It encrypts the packet and puts a new packet header on it. Then it sends this new packet to the remote VPN host. The VPN host pulls the new header off the packet and decrypts the original packet. Then it forwards the packet along to its ultimate destination.

We call this a tunnel because the original packet is encrypted and hidden from view as it crosses the internet to get to the VPN host. The original packet emerges from the tunnel and is forwarded on, looking like it had only gone one hop instead of the possibly dozens of hops that the encrypted packet actually travelled.

The concept of split tunneling is used when only some of the packets from your computer are forwarded through this VPN connection.

If split tunneling isn’t enabled, all of your packets are encrypted and forwarded to the VPN host. But with split tunneling, there’s a rule, possibly a complex rule, that says which packets should be encrypted and forwarded to the VPN host, and which should just be sent directly without the encryption.

There are pros and cons to VPN split tunneling. Deciding which is right for your network depends on knowing your requirements and risk tolerance.

The pros of VPN split tunneling: speed and performance

Without split tunneling, all packets must pass through the tunnel. In the case of corporate VPN solutions, all the traffic destined to systems inside the corporate network must go through the VPN.

The question is what to do with the packets that are heading somewhere else. For example, although the connection to the server inside your network must use the VPN just to get access, your Google session, a news site like the New York Times, or your online banking don’t really need to pass through the VPN. And if you’re streaming a movie or taking part in a video conference, that’s potentially a lot of packets getting encrypted and sent through the VPN.

The biggest disadvantage to having all traffic pass through the corporate VPN host is performance. It’s a detour for any packets that are heading back out to the public internet. And it’s a detour that probably means packets that have nothing to do with the corporate network end up traversing the same corporate internet link twice. So it’s slower and it causes congestion.

Split tunneling was invented largely to solve this performance problem. It lets VPN users direct their non-corporate traffic out to the internet without involving the corporate links or equipment.

The cons of VPN split tunneling: security compromises

There are some very compelling security reasons why many companies prefer to accept the performance hit of passing everything through the corporate VPN host.

If all of the user-to-internet traffic has to pass through the corporate VPN host, it can be subjected to the same security scrutiny as it would be if the user were on site. Known bad sites on the internet can be blocked, either for content reasons (appropriate use) or security reasons.

If the corporate VPN redirects internet traffic through a central point, it can also redirect that traffic through security devices to do deep packet inspection to look for malicious content.

Very few end users have the same sort of security infrastructure on their home networks as companies do, so forcing all your traffic through the corporate infrastructure essentially places home networks behind the corporate perimeter, which is likely safer.

Or maybe your user isn’t on their home network. They might be on a public Wi-Fi network in a cafe, hotel, or airport. In these cases, other devices on what would normally be considered the local “trusted” network should be treated as hostile—they could be snooping on your traffic or trying to communicate with your computer over local protocols. In these situations, it makes a lot of sense to encrypt everything and send it to a central VPN host before forwarding it out to the internet.

But the biggest reason IT security people cite for disabling split tunneling is a little more subtle.

Suppose your computer has become infected with some sort of malware. A typical pattern for attacks against corporate infrastructure is to first compromise an end user computer. Then they exploit any trust relationships associated with that computer. They can also snoop on things you might type, like user IDs and passwords.

But really exploiting this requires that the attacker has access to your computer while your computer has access to the corporate network. If you have split tunneling disabled, then the corporate security infrastructure has a chance to intercept the attacker’s command and control traffic.

For this reason, enabling split tunneling is considered less secure.

What about VPN services?

Some commercial VPN services like NordVPN and TunnelBear have split tunnel options. These generally work slightly differently than what I’ve described above. Instead of exempting specific destination IP addresses from the protection of encryption and tunneling, these services often exempt specific applications.

For example, if you were travelling and wanted to use the same applications you use at home, you might want those applications to pass through the VPN service. This way the servers for those applications would think you were back at home and would work normally. But you might need to use some locally relevant applications that only work in the country where you currently are. In this case, you could exempt those local applications from the VPN service.

However, as before, the lack of encryption means split tunneling is somewhat less secure for those applications that are exempted from the tunnel.

To split tunnel or not to split tunnel?

The decision on whether to split tunnel VPN traffic or not depends a lot on your organizational risk tolerance and your complementary security tools.

For example, having an endpoint security platform that applies many of the same protections as your corporate security perimeter may negate the need to route all traffic through your corporate perimeter and allow you to split tunnel in relative safety. Similarly, if you route all web browsing traffic through a cloud-based proxy service directly from the user workstation, then split tunneling is almost as secure as being physically inside the corporate network.

When making your decision, I’d encourage you to look for reasons to enable split tunnel VPN, rather than looking for reasons not to.