VPNs (virtual private networks) have rapidly become essential for remote workers and organizations. VPNs provide enhanced privacy, security, and access to restricted resources by creating an encrypted tunnel for internet traffic. However, many IT professionals grapple with the tradeoffs inherent in routing all traffic through a VPN tunnel. VPN split tunneling offers a versatile solution by allowing you to intelligently segment VPN and non-VPN traffic.

This guide covers everything about VPN split tunneling, including how it works and future trends.

What is VPN split tunneling?

So what is split tunneling for a VPN?

It’s a networking configuration where only specific traffic is routed through a VPN. At the same time, the remaining data is sent directly over the internet.  

Split tunneling means that some of your data is routed through an encrypted VPN connection while other apps and data have direct access to the Internet. It’s primarily relevant for remote access-type VPNs (like your work-from-home setup), where your computer is connected directly to a remote network at your office.

A diagram of split tunnel traffic
Split VPN tunnel traffic

We use the term remote access here to distinguish between this type of connection and site-to-site VPNs, where network devices connect directly to each other.

All VPN protocols are a network “tunnel” or path. Say your computer has a packet that it wants to send to a remote device. Without a VPN, it will send that packet out into the network and let it hop from device to device until it reaches the destination.

But with a VPN, the packet is sent first in encrypted form to a VPN termination point. The original packet is extracted, decrypted, and sent to the ultimate destination, looking like it has only traveled one hop instead of the dozens an encrypted packet will travel. Without a VPN, that packet would have taken a different, more direct path to the destination.

We refer to it as a tunnel because the original packet is encrypted and hidden from view as it crosses the internet to get to the VPN host. The VPN software encrypts the original packet and puts a new packet header on it. Then, it sends this new packet to the remote VPN host. The VPN host pulls the new header off the packet and decrypts the original packet. Subsequently, it forwards the packet along to its original destination.

Split tunneling differs from a traditional VPN, because, conceptually, you have two paths: the VPN tunnel and the open internet. Sensitive traffic like corporate networks, financial apps, medical systems, or streaming media requiring location spoofing goes into the secure VPN tunnel. Meanwhile, general web browsing, video streaming, gaming, and other everyday traffic stays outside on the open internet. With this kind of granular traffic management, you get the best of both worlds—uncompromised privacy where you need it without sacrificing speed or functionality.

A data packet vs. an encrypted VPN data packet.
A data packet vs. an encrypted VPN data packet.

Different types of VPN split tunneling

There are several common split tunneling implementations that give you flexibility to segment VPN traffic as needed:

1. Inverse VPN split tunneling

Normally, only specified data is routed through your VPN, like data bound for sensitive internal destinations. With inverse tunneling, it’s the exact opposite: all data is sent through the tunnel, except the specific sources (like web browsing) you identify to be routed directly to the internet.

This inverse approach maximizes privacy by default but still gives you granular control to improve performance where needed. Inverse tunneling is ideal if your priority is keeping your data secure.

2. Dynamic VPN split tunneling 

While traditional split tunneling relies on access control lists (ACLs) to decide what traffic is included or not in the tunnel, dynamic split tunneling enhances that by using a DNS protocol to decide what traffic/protocols and domains are included or not.

For example, you could create a rule that any traffic destined for financial, healthcare, legal, or other sensitive sites automatically uses the secure VPN tunnel. Adding dynamic rules provides context, making it easier for you to manage split tunnel policies.

3. Dual-stack networking (unintended split tunneling)

This is less of an option and more of a situation to be aware of. If you are running a VPN and can access both IPv4 and IPv6 addresses from your connection, your IPv6 data could be going out unencrypted. Make sure your VPN supports both to prevent unintended privacy and security gaps!

Split tunneling VPN: How it works

To effectively leverage the power of split tunneling, you need to understand the underlying functionality and traffic flow. 

data being routed through a vpn split tunnel

Traffic inspection by VPN client

When you first configure split tunneling, you’ll install VPN client software on each device. This client acts as the traffic cop, inspecting packets and directing them according to the defined rules.

As you use networked applications that generate outbound traffic, the VPN client will intercept each packet first. The client checks whether you have configured custom split tunneling policies.

If you have defined rules, the client inspects the source and destination of each packet to determine if it matches your specified VPN tunnel criteria. This decision point is where split tunneling diverges from traditional one-size-fits-all routing.

Traffic encryption and encapsulation

For any packets matched to the VPN tunnel, the client will encrypt the data payload to obscure it from prying eyes. Encryption prevents eavesdropping and maintains privacy as packets traverse public networks. 

Common protocols you might use include AES, SHA2, RSA, and other military-grade algorithms. The VPN vendor determines the specific standards, key exchange mechanisms, and ciphers used.

In addition to encrypting, the client also encapsulates the original packet within a new standardized header for secure transit across the VPN tunnel itself. This encapsulation process conceals your device’s real IP address.

Secure VPN tunnel transmission

Once encapsulated, packets utilize the encrypted VPN tunnel to reach the remote VPN server. Your client forwards VPN-bound traffic to the VPN server over the tunnel protocol you’ve chosen, like OpenVPN or IPSec. Communication crosses the public internet but remains private due to encryption.

Only your VPN vendor has access to decrypt data at the endpoint server. Packets stay securely encapsulated in transit—traffic leaves your local network through the encrypted VPN tunnel without exposing raw data.

Decryption and forwarding by VPN server

Upon receiving your encapsulated packets, the VPN server peels away the tunnel header to extract the original encrypted payload. Using its private keys, the server then decrypts the packet. The VPN provider maintains strict access controls so only authorized systems can decrypt data, preventing tampering and snooping.

Finally, the VPN server forwards the now decrypted packet out to its original public internet destination from the VPN’s network. The destination server receives your traffic as if your device had sent it directly through a standard internet connection.

Direct internet routing

Meanwhile, any packets not matched to the VPN tunnel will skip encapsulation entirely. This non-VPN traffic simply takes the default route out to the open internet.

Your internet service provider sees requests routed outside the VPN tunnel as originating directly from your IP address. But the source of your VPN traffic is obscured behind the remote tunnel endpoint.

VPN split tunneling: The role of ISPs and private networks

When using split tunneling, you should understand how internet service providers (ISPs) and private networks function within this environment.

For any traffic you route outside the VPN tunnel, your ISP has full visibility. They can observe your public IP address and monitor your unrestrained internet activity that bypasses the tunnel.

ISPs may collect data about your unencrypted browsing habits, websites visited, and applications accessed outside the VPN tunnel. They could potentially monetize or leverage this data. ISPs can also see your geographic location for non-tunneled traffic.

But your ISP has no insight into activity within the encrypted VPN tunnel itself. They can simply confirm your connection to a VPN server endpoint but cannot decipher the actual content or destinations of your VPN-protected activities.

Private networks, either on-premises or cloud-hosted, also operate differently when you implement split tunneling.

Resources on your private network typically require a VPN connection for remote user access. However, split tunneling allows remote workers to additionally access public internet services directly outside the VPN tunnel.

Note that when using split tunneling, your IT team must take care to ensure remote devices route any private network access through VPNs, not directly. Correctly implemented rules will prevent the exposure of private resources.

Conversely, organizations with limited WAN bandwidth avoid saturating their VPN links since public internet traffic utilizes the open internet instead. This facilitates broader remote access without costly infrastructure upgrades.

Benefits of VPN split tunneling

Now that you know how split tunneling works, let’s explore six key benefits that make split tunneling such a versatile solution.

1. Increased bandwidth and network efficiency

One of the major advantages of split tunneling is it represents the best of both worlds: the speed and performance of an unencrypted link but the data security when and where you need it.

If everything has to pass through the VPN tunnel, then that’s potentially a lot of packets getting encrypted and sent through the VPN.It’s just a big detour for packets that are heading back out to the public internet. And one that probably means packets having nothing to do with the corporate network are traversing that same corporate internet link twice—it’s slower, causes congestion, and is a nightmare for your network monitoring solution to have to parse.

2. Gain flexibility and control over traffic routing

The power to intelligently customize traffic routing gives you tremendous flexibility as an IT professional. You can send sensitive applications or restricted-access networks through the secure VPN channel while allowing general web browsing and non-critical traffic to take a direct internet route.

For example, you could tunnel video conferencing software over the open internet while securing email, messaging, and corporate network access within the encrypted VPN. Granular policies put you in control over balancing functionality, performance, and privacy.

3. Improve security for what matters most

While split tunneling does route some traffic outside the VPN tunnel, it also empowers you to implement stronger security policies.

For instance, you may not care if your DNS queries or web history are visible to your ISP for casual browsing. However, financial transactions, medical communications, and proprietary corporate networks require total privacy. Granular tunnel management enhances security precisely where it’s needed most.

You can also reduce the VPN attack surface. Instead of obscuring all traffic behind one server, only route your most sensitive data through private tunnels. Limiting VPN traffic volume also makes inspection more scalable.

4. Facilitate high-performance remote access

Remote workers often use VPNs to access corporate resources and data securely from home or mobile locations. But routing all of a remote worker’s internet activity through the corporate VPN concentrates significant extra traffic onto corporate internet links.

Split tunneling gives remote workers secure corporate access without forcing unrelated browsing and internet activity to traverse corporate links. Users get better performance on general web use while you keep access tightly controlled.

5. Enable anywhere operations

The future of work trends toward embracing “anywhere operations” with employees, contractors, partners, and customers dispersed across locations and devices. You can adapt split tunneling policies to maximize security and productivity for these fragmented digital workforces.

For example, rules can be fine-tuned to handle corporate laptops defaulting to full tunnels, while personal devices use split tunnels with only corporate traffic encapsulated.

6. Achieve regulatory compliance

As regulations like GDPR and HIPAA evolve, split tunneling provides more control over where sensitive or regulated data flows. To achieve compliance, you can isolate traffic with sensitive data within encrypted VPN channels.

Potential risks of VPN split tunneling

You can’t look at the benefits of VPN split tunneling without considering the potential risks. These include privacy, security, and complexity tradeoffs that need to be evaluated, which is why some organizations may look into VPN alternatives.

a scale showing the balance of risk and reward

Privacy and security risks

There are some compelling security reasons behind why some companies prefer to take a performance hit and drive everything through their VPN connection. Namely, if all of that user-to-internet traffic has to pass through the corporate VPN host, then it can be subjected to the same security scrutiny as it would be if the user were on site (in the office). Known bad sites on the internet can be blocked, either for content (appropriate use) or security reasons (malware sites, etc.).

If the corporate VPN redirects internet traffic through a central point, then it can also redirect that traffic. You can use system security devices such as intrusion prevention devices (IPS) for deep packet inspection to look for malicious content. Because very few end-users have the same level of security infrastructure on their home networks, forcing all of that traffic through the corporate infrastructure essentially places your home network behind the corporate perimeter, which is likely safer.

Or maybe you aren’t on your home network. You might be on a public Wi-Fi network in a cafe or hotel. In these cases, other devices on the local network should be treated as hostile by default. They could be snooping on your traffic and trying to break into your computer over local protocols. In these situations, it makes a lot of sense to encrypt everything and send it to a central VPN host before forwarding it out to the internet.

But the biggest reason that IT security people cite for disabling split tunneling is a little more subtle. Suppose your computer has become infected with some sort of malware. A typical pattern for attacks against corporate infrastructure is to first compromise an end-user’s computer. From there, they exploit any trust relationships associated with that computer. They can also snoop on things that you might type, like user IDs and passwords.

Exploiting this kind of vulnerability requires that the attacker has access to your computer while your computer has access to the corporate network. With split tunneling disabled, the corporate security infrastructure has a chance to intercept the attacker’s command and control traffic.

Increased complexity

Implementing split tunneling also increases the complexity of managing your VPN environment. For instance, a company could misconfigure app-based rules and accidentally allow unencrypted access to internal databases from external networks. Defining and maintaining custom routing rules is more complicated than sending all traffic through VPN servers by default. The more complex the configuration, the greater the risk of errors that incorrectly route traffic.

Comprehensive testing is essential to catch errors before deployment. You also need robust VPN monitoring to identify problems after rollout, like corporate data being transmitted improperly outside the encrypted tunnel. Weigh whether the flexibility of split tunneling is worth the extra effort required to implement it securely. Some organizations prefer the simplicity of routing all VPN traffic through secure gateways without exceptions.

Additionally, enforcing consistent policies becomes more difficult across all users, devices, and operating systems when using split tunneling. For example, a firm could fail to configure mobile devices properly, leaving a gap that enables data leaks.

5 strategies to mitigate risks from split tunneling

Implementing split tunneling can reduce risks if you take the right precautions. By following several best practices, you can mitigate the potential downsides.

1. Thorough testing and deployment verification

To start, conduct thorough testing and verification during deployment. This ensures routing rules function as intended for all applications, use cases, and data types. Make sure to account for both inclusion and exclusion rules. 

Also, test with different user roles and device types to confirm consistent policy enforcement across desktops, mobiles, tablets, and so on. After deployment, continue monitoring to identify any misrouted data or gaps in your policies. Actively inspect network traffic on an ongoing basis.

2. Least privilege and minimizing exposure

Next, implement least privilege in your routing rules. Only send required low-risk traffic outside the VPN tunnel while encrypting sensitive applications by default. Furthermore, funnel only necessary traffic outside the tunnel to minimize exposure. 

For instance, you may allow recreational web browsing to bypass the VPN but keep critical systems like banking protected. For certainty, configure inverse tunneling that encrypts everything first, then excludes specific low-risk apps rather than including sensitive ones.

3. Layered security and policy consistency

Make sure to employ layered security and ensure policy consistency. Use multiple defensive layers like endpoint antivirus, firewalls, IDS/IPS, proxy filtering, and data loss prevention. Don’t rely solely on split tunneling—use defense-in-depth. 

Also, eliminate any policy enforcement gaps across devices, operating systems, locations, and users. Address identified weaknesses. Institute mandatory device security baselines before allowing VPN connections to enforce computer hygiene.

4. Adaptability to the evolving threat landscape

Adaptability is key in response to an evolving threat landscape. Frequently update rules to keep pace with changes in applications, threats, business systems, and usage patterns. Perform periodic reviews. 

Watch for new high-risk apps and add them to the encrypted tunnel inclusion list once adopted. Consider time-based rules that account for changing business hours, travel, temporary high-risk locations, and the like.

5. Automation for simplified management

Finally, leverage automation to simplify management. Use dynamic context-aware tunneling that automatically routes traffic based on criteria such as application risk profiles, user roles, device security posture, network locations, and more. 

Integrate with security platforms for automated policy triggering based on threat intelligence, anomaly detection, and other indicators of compromise. Evaluate cloud access security broker (CASB) options to offload policy enforcement.

How to set up VPN split tunneling

Split tunneling is a useful VPN feature, but proper setup is crucial to utilize it safely. The specific steps vary by VPN provider, but the general process involves configuring routing rules for your apps and traffic. Keep several considerations in mind to successfully implement split tunneling.

To begin, check if your VPN service supports split tunneling and identify the type offered—app-based, IP-based, etc. Most VPNs have the option in their desktop client software, while some may only support it via browser extensions. Refer to your provider’s instructions to locate the tunneling settings. You’ll typically see options to route traffic for specific apps or URLs through the tunnel.

When creating inclusion and exclusion rules, take a least privilege approach to minimize risk exposure. Funnel only low-risk traffic outside the VPN tunnel, keeping sensitive applications encrypted. Enable inverse tunneling, if available, to default to full encryption. Build your rules carefully, testing extensively with different apps, users, devices, and networks.

Special considerations for different VPN services

Certain VPN services have preconfigured split tunneling profiles you can use for common usage scenarios like media streaming or VoIP calls. This simplifies setup, but you should still customize as needed. Define rules based on your unique apps, resources, and risk tolerance.

The process becomes even more straightforward if you’re using a service like Cisco Anyconnect. You can configure Cisco Anyconnect to set up split tunneling with a few simple steps, making it an excellent choice for businesses looking for a hassle-free solution.

After configuring split tunneling, thoroughly test connectivity across inclusion and exclusion rules on all your devices. Verify both VPN and non-VPN behavior for covered apps. Check that policy enforcement is consistent across platforms. Identify any connection issues or leaks early.

Troubleshooting tips

Setting up split tunneling correctly can be tricky. Here are some common issues and troubleshooting tips:

Connectivity problems

If apps are failing to connect or intermittently drop when using the VPN, consider the following:

  • Double-check your routing rules contain the correct app names/URLs/IP addresses. Typos can cause problems.
  • Try toggling the VPN connection off and on after making routing changes. This reloads the rules.
  • Confirm the VPN app has permission to route network traffic on your device.
  • Temporarily disable any firewalls/security software that may be blocking traffic.
  • Switch between TCP and UDP connection protocols if one is not establishing properly.

Leakage of sensitive traffic

In the event you detect unencrypted sensitive app traffic outside the VPN tunnel, some steps you can take include:

  • Audit your rules to ensure sensitive apps are routed through the VPN, not outside it.
  • Switch to inverse split tunneling so all traffic goes through the VPN by default. Then, exclude low-risk items.
  • Use a VPN leak testing tool to identify any unencrypted traffic that should be going through the tunnel.
  • Bind specific browsers or apps to the VPN adapter on your OS to force tunneling at a program level.

Policy enforcement issues

If you’re experiencing traffic leaks, it could be the result of misconfigurations, so take the following measures:

  • Check that the VPN client is configured correctly on all devices, including Windows, Mac, and mobile.
  • Set split tunneling at the OS level for consistent policy application across all apps.
  • If routing traffic is based on domain, enable DNS leak protection features on the VPN to prevent circumvention.
  • For corporate networks, enforce adherence to routing rules through endpoint agents and network access controls.
  • On mobile devices, enable always-on VPN connectivity to prevent policy lapses.

Monitoring and updates

For misrouted apps or when your needs change, consider the following:

  • Log and inspect VPN traffic to identify misrouted apps and data over time.
  • Periodically review and update your routing rules to account for new apps, business needs, threats, etc.
  • For dynamic rules, check that domain categories and app profiles are kept current by your VPN provider.
  • Consider automated tools to streamline management and reduce errors in complex split tunneling policies.

Future trends that may impact split tunneling

Like all rapidly evolving enterprise technologies, split tunneling will continue advancing in the coming years. Several emerging trends could shape and impact how you implement split tunneling in the future.

nighttime skyline with smart service icons

Smarter traffic analysis with AI/ML

For smarter traffic analysis, look to artificial intelligence and machine learning. These innovations open up new possibilities for dynamic, context-aware split tunneling rules. For instance, traffic could be automatically analyzed for sensitive characteristics and routed through the VPN if any anomalies are detected. Reducing manual configuration in this way could enhance your security posture and network performance.

Closer integration with CASB and ZTNA

You can also expect closer integration between split tunneling and emerging models like CASB and ZTNA. Cloud access security brokers and zero trust network access focus on software-defined network perimeters. Tight coordination between these frameworks and granular split tunnel policies can develop. Your organization’s split tunnel rules could then adapt based on parameters from integrated software-defined systems.

Better support for internet protocol version 6 (IPv6)

Improving support for IPv6 will be an increasing priority. As IPv4 address exhaustion continues, IPv6 adoption accelerates globally. Leading VPNs already tunnel IPv6 traffic, but many IT teams still overlook proper encapsulation. Shoring up IPv6 handling will be a growing focus as you evaluate VPN providers.

Integration with browser-based remote access

Many organizations are exploring browser-based models for remote access instead of traditional VPN technology. However, selectively tunneling web traffic could still enhance performance and privacy under browser-based architectures. Innovation may drive integration between browser-based access and split tunneling for greater flexibility.

Embracing anywhere operations

As previously stated, the future of work is trending toward embracing “anywhere operations,” with employees, contractors, partners, and customers increasingly dispersed across locations and devices.

You need to enable secure productivity for these fragmented digital workforces. Employees expect flexible work-from-anywhere capabilities, while organizations require protection for data and systems.

Adapting granular split tunneling policies provides strategic value in this environment. You can maximize security and performance for a mix of managed and unmanaged devices across networks. 

The rise of SASE architecture

Another emerging trend is the shift toward SASE (Secure Access Service Edge) architecture. What is SASE, you ask? SASE converges networking and network security into a cloud-based model. This enables identity-based perimeter enforcement for distributed environments.

As SASE adoption grows, split tunneling may be integrated as one component within the broader SASE framework. Core routing could utilize cloud-hosted SASE for context-aware policy enforcement.

VPN split tunneling: A versatile solution for modern networks

Split tunneling offers a powerful mechanism to balance privacy, security, functionality, and performance in modern VPN environments. By segmenting traffic intelligently, you can have the best of both worlds—uncompromised privacy when you need it without sacrificing speed, access, or functionality.

It’s a good idea to keep exploring how advances in granular traffic management can provide strategic advantages and, as your network evolves, continue to reevaluate where smarter routing can play an integral role in your architecture.

Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.

Ebook cover - The Ultimate Guide to Selling Managed Network Services
  1. Glenn Lindsey Avatar
    Glenn Lindsey

    I’m a newbie studying cybersecurity. This article/blog post has been very helpful. Thanks

  2. VPN Avatar
    VPN

    It’s great that you are sharing useful information. I enjoy reading your blog.
    David, author, and owner of the blog https://vpnheroes.com/

  3. Robert Avatar
    Robert

    If I do split tunneling for Plex so I can access my server remotely, am I still secure as if I wasn’t?

Leave a Reply

Your email address will not be published. Required fields are marked *