When you connect to a VPN, every app on your device routes through the encrypted tunnel — which is great for security but sometimes problematic for usability. Your banking app might block VPN connections. Your local news might show the wrong region. Your downloads might slow down. Split tunneling solves all of these problems by letting you choose exactly which traffic goes through the VPN and which uses your normal internet connection.
What Is Split Tunneling?
Split tunneling is a VPN feature that divides your internet traffic. Some apps, websites, or IP addresses travel through the encrypted VPN tunnel, while the rest connect directly to the internet through your regular ISP. This gives you granular control without sacrificing either security or accessibility.
Without split tunneling, a VPN routes ALL traffic through its servers — your browser, email client, cloud storage sync, gaming, streaming, banking, and every other app simultaneously. This can cause several practical problems:
- Banking apps flag or block connections from VPN IP addresses
- Local network devices (printers, Chromecast, smart home hubs) become inaccessible
- Download speeds for local gaming servers are throttled by routing through distant VPN servers
- Streaming services detect and block VPN IPs more easily when all traffic appears VPN-originated
Three Types of Split Tunneling
1. App-Based Split Tunneling
Choose which specific applications route through the VPN and which don't. This is the most common and useful type. For example, you might route Chrome, Firefox, and your torrent client through the VPN while keeping your banking app and video calls on your regular connection.
Use case: You want Netflix access through a US VPN server but need your local banking app to work without VPN interference.
2. URL-Based Split Tunneling
More granular than app-based: route specific websites or domains through the VPN tunnel rather than entire applications. This is useful when an app makes requests to multiple services and you only want some of them through the VPN.
Use case: Route only YouTube.com through the VPN while keeping the rest of your browsing on your regular connection.
3. Inverse Split Tunneling
The reverse of the standard model: everything goes through the VPN by default, and you explicitly exclude specific apps or URLs. This is the most secure approach and is preferred by privacy-conscious users.
Use case: Maximum protection by default, but you exclude local network devices and banking sites that don't work with VPNs.
Best VPNs for Split Tunneling in 2026
| VPN | App Split Tunnel | URL Split Tunnel | Inverse Mode | Platforms |
|---|---|---|---|---|
| NordVPN | ✅ | ✅ (Browser extension) | ✅ | Windows, Android, macOS |
| Surfshark | ✅ | ✅ | ✅ | Windows, Android, macOS |
| ExpressVPN | ✅ (App-level) | ❌ | ✅ (via router) | Windows, Android, macOS, Router |
| CyberGhost | ✅ | ❌ | ❌ | Windows, Android, macOS |
| ProtonVPN | ✅ | ❌ | ✅ | Windows, Android, macOS |
| IPVanish | ✅ | ❌ | ❌ | Windows, Android, macOS, Fire TV |
How to Set Up Split Tunneling — Step by Step
On Windows (NordVPN Example)
- Open NordVPN and click the settings cog icon
- Navigate to the "Split Tunneling" section
- Toggle split tunneling ON
- Choose "Split Tunneling mode" — Standard (VPN for selected apps) or Inverse (VPN for all except selected)
- Click "Add apps" and browse to the .exe files you want to include or exclude
- Click Save and reconnect to your VPN
On Android (Most VPNs)
- Open your VPN app and go to Settings
- Find "Split Tunneling" or "App Permissions"
- Toggle it on
- Select which apps should use the VPN and which should use your regular connection
- Save and reconnect
On macOS
macOS split tunneling support varies significantly by VPN. NordVPN, Surfshark, and ExpressVPN offer native app-based split tunneling on macOS. Others may require router-level configuration. Always check the current macOS version compatibility — some VPNs drop macOS support for newer versions periodically.
Common Split Tunneling Scenarios
Scenario 1: Banking App Won't Work with VPN
Many banks use fraud detection systems that flag connections from known VPN IP ranges. Add your banking app to the excluded (non-VPN) list to resolve this without disabling your entire VPN.
Scenario 2: Smart Home Devices Unreachable
When your VPN routes all traffic, devices on your local network (192.168.x.x range) become unreachable. Exclude your local network IP range from the VPN tunnel — typically 192.168.1.0/24 or 192.168.0.0/24.
Scenario 3: Gaming with Lower Ping
Route your game through your regular ISP connection for lower latency while routing your browser through the VPN for privacy. This prevents VPN routing from adding 50-200ms of latency to your gaming sessions.
Scenario 4: Simultaneous Streaming and Torrenting
Route your streaming service through your regular connection (to avoid VPN IP blocks from streaming platforms) while routing your torrent client through the VPN for anonymous downloading.
Troubleshooting Split Tunneling
- Apps still not connecting: Make sure you've added the correct app executable, not just the shortcut. On Windows, browse to the actual .exe in Program Files.
- Split tunneling not saving: Some VPNs require a full disconnection and reconnection after changing split tunnel settings. Try reconnecting the VPN.
- IP still leaking after exclusion: Check for DNS leaks — ensure your DNS requests are also routed correctly. Use a tool like ipleak.net to verify.
- macOS permission issues: macOS may block VPN apps from managing other apps' network traffic. Grant full disk access and network extensions permissions in System Preferences.
Security Considerations
Split tunneling does reduce your overall security surface — any app excluded from the VPN tunnel operates with your regular (potentially observable) IP address. Consider these tips:
- Only exclude apps that genuinely don't work with VPNs, not just for convenience
- Always use inverse split tunneling (VPN for everything except X) rather than standard split tunneling (VPN only for X) for better baseline security
- Ensure excluded apps don't transmit sensitive data over unencrypted connections
- On public WiFi, temporarily disable split tunneling to ensure all traffic is protected