Why do LAN devices disappear with a VPN on?

mDNS/SSDP broadcasts do not traverse the VPN tunnel. Exclude your local subnets from the tunnel so printers, TVs, and consoles remain discoverable.

Can I use a kill switch with split tunneling?

Yes. Use a policy-aware kill switch that only blocks traffic marked to use the VPN. This prevents leaks for included apps while leaving excluded traffic unaffected.

What Is VPN Split Tunneling? How to Make It Work

Q: Is split tunneling safe?

Yes, when used intentionally. Anything excluded is visible to your ISP and the destination. Keep sensitive apps in the tunnel and exclude only low-risk or geo-sensitive services like local banking.

Q: Will split tunneling fix slow speeds?

It can by keeping heavy, non-private traffic off the VPN, which frees bandwidth and CPU for privacy-critical apps. Pair it with faster protocols like WireGuard.

Q: What is the difference between app and site split tunneling?

App split matches traffic by process, while site split matches by destination domain/IP. Site split is great for streaming services but requires dynamic IP list updates due to CDNs.

Q: Does split tunneling work on iOS?

Consumer split tunneling is limited on iOS. Enterprise deployments use Per-App VPN via MDM. Some providers offer domain-based controls via browser extensions.

We earn commissions using affiliate links.

VPN split tunneling explained quickly:

Split tunneling allows you to route only certain apps or websites through the VPN or prevent them from connecting to a VPN. It’s handy when you want faster speeds at the cost of privacy that the VPN provides. Split tunneling is available in almost all premium VPNs.

It divides traffic into two parts, where one portion is VPN-protected and the other originates from your original IP. Find out more about how it works and how to use it in our in-depth split tunneling VPN guide.

A split tunneling VPN is a VPN service that allows you to select which apps/domains/IPs will or won’t take advantage of a VPN tunnel. This feature is useful for VPN protecting certain “portions” of your traffic while leaving others unaffected by encryption and IP change.

This is usually a premium feature, which can be found in popular VPNs like ExpressVPN, NordVPN, and even CyberGhost. However, split tunneling can be divided into several categories. Plus, it has a few specific use cases that we’ll go over in this Split Tunneling VPN guide.

Contents show

What Is Split Tunneling? How Does VPN Split Tunneling Work?

Full tunneling is when you connect to a VPN and all your traffic is routed through an encrypted tunnel. Conversely, split tunneling is when only specific apps, domains, or IP ranges use that tunnel. You choose which packets get the VPN’s encryption and exit IP, and which take the “direct” route out via your ISP.

Courtesy of DataProt

At a network level, split tunneling is implemented with policy-based routing and packet filters:

Windows: Most VPN apps use the Windows Filtering Platform (WFP) and create per-app filtering rules. “App-based” split tunneling tags flows by process (EXE) and sends only those to the VPN TAP/TUN adapter. “Site-based” split adds static routes to the OS routing table for certain subnets/domains’ resolved IPs.
macOS: App-based split uses the Network Extension framework and PF (packet filter). Domain-based split adds routes to the system routing table and sometimes scutil to pin DNS.
Linux: Apps leverage iptables/nftables marks plus ip rule/ip route for multiple routing tables. Example idea: mark packets from a given UID or destination, then route table 100 via the VPN interface while table main goes out via ISP.
Android: Split tunneling is built atop the VpnService API. VPNs can exclude apps from the tunnel (disallowed apps) or include only selected apps (allowed apps). Many vendors also offer per-domain split in their Android apps.
iOS/iPadOS: iOS supports Per-App VPN profiles (usually MDM/enterprise) rather than consumer “app pickers.” Consumer VPN apps often offer limited split tunneling on iOS due to platform constraints; domain routing is more feasible for some providers’ browser extensions.

Two critical supporting components:

DNS binding: For any destination routed via the VPN, your DNS queries must also go through the tunnel to avoid leaks. Good clients pin DNS per flow/app. If the provider doesn’t, you can see mixed-path DNS where the app uses the tunnel but your DNS leak reveals your ISP location.
Kill switch alignment: A firewall-based kill switch should only block traffic that should use the tunnel. With split tunneling, the kill switch must be policy aware (don’t block excluded apps; do block included ones when the VPN drops).

When Should I Use a Split Tunneling VPN?

This brings up the subject of when to use a split tunneling VPN. Obviously, you shouldn’t use it all the time because some online activities practically require the security of a VPN. Below, we examine the cases in which split tunneling will be welcome.

Gaming on nearby servers: Exclude the game binary from the tunnel to shave latency and reduce jitter. Keep overlays/launchers in the VPN if they’re browsing the web. For anti-cheat-sensitive titles, split tunneling can also reduce flagging by keeping the game’s route simple.
Online shopping & local services: Some merchants price or verify by region. Exclude local shops and delivery apps to keep your native IP and accurate geolocation for taxes and shipping.
Online banking: Many banks block logins from unfamiliar regions and may temporarily lock accounts. Exclude the banking app/site so it sees your real IP while everything else remains under the VPN.
High-bandwidth transfers to trusted destinations: If you’re pulling multi-GB OS updates or copying to your home NAS over a trusted channel, exclude those to free up VPN bandwidth for privacy-critical apps.
Smart home / LAN devices: Use split tunneling or LAN-allow rules to keep local subnets (e.g., 192.168.1.0/24, 10.0.0.0/8) outside the VPN, so printers, TVs, and consoles remain discoverable via mDNS/SSDP.

Split Tunneling Types Explained

We mentioned that split tunneling comes in multiple variants but the key is that all of them work the same. They either allow or prevent an app/website from using a VPN. There are 3 types of VPN split tunneling, all of which are explained below.

App Split Tunneling. This type allows you to select which apps will or won’t use a VPN. It’s the most common type that you can find in ExpressVPN or NordVPN. Under the hood, flows are matched by process ID/EXE and routed to the VPN interface.
Website (Domain/IP) Split Tunneling. Same logic but matches by destination. VPNs resolve domains to IPs and inject routes for that set. Caveat: big sites use CDNs with rotating IPs; a good client refreshes mappings to avoid “route drift.” Browser extensions can enforce per-domain proxying, which is easier than OS-wide domain split.
Inverse Split Tunneling. Default is full tunnel. You then exclude specific apps/domains/IP ranges from the VPN. This is safer because you won’t accidentally leave something sensitive outside the tunnel if you forget to include it.

Security, Privacy & Performance Trade-offs

Privacy surface: Anything excluded from the VPN reveals your ISP IP, ASN, and approximate location to that destination (and to your ISP). Browser fingerprinting and WebRTC can compound this if your browser is excluded.
DNS leakage risk: If the client doesn’t pin DNS per route/app, excluded traffic may still query the VPN DNS (causing geolocation mismatches) or included traffic may leak queries to your ISP DNS. Verify with a DNS leak test for both included and excluded apps.
Kill switch semantics: A connection-drop should only kill flows marked “VPN-required.” If your kill switch is “global” and unaware of split rules, it may block excluded apps too, or worse, allow included apps to fall back to ISP—avoid that.
Speed: Split tunneling can dramatically increase throughput for excluded tasks (no VPN CPU/overhead), and preserve VPN bandwidth for what matters. On mobile, you’ll also save battery by keeping heavy but non-private flows out of the tunnel.
IPv6: Ensure the VPN supports IPv6 in-tunnel or disables it system-wide; otherwise, excluded/included flows might behave inconsistently. Many providers add per-route IPv6 controls in split mode.

Advanced: Router-Level Split Tunneling (Policy-Based Routing)

If your whole household uses a VPN at the router, you can do split tunneling centrally so each device “just works.” This is useful for Apple TV/PlayStation/Xbox, which may not have app-level split.

OpenWrt: Use mwan3 or policy-based routing packages. Mark traffic (by source IP/MAC, destination subnet, or port) and create rules so marked packets use the VPN interface (tun0) while others use WAN. E.g., route Netflix IP ranges outside the VPN to avoid proxy errors, while browsers/BitTorrent use the tunnel.
pfSense/OPNsense: Create an alias for target domains/IPs, a second routing table via a gateway group for the VPN interface, then add firewall rules (LAN → destination alias → use VPN gateway). Add a floating rule to keep RFC1918 local subnets out of the tunnel.
EdgeOS/UniFi: Policy routes with firewall modify and set protocols static table; match by source network (e.g., a “VPN VLAN”) or by destination.

Note: Domain-based routing on routers is tricky because IPs change. Some firmwares support DoH with RPZ or DNSmasq ipset to tag resolved domains into a set, then route by that set.

Common Pitfalls (and How to Avoid Them)

Captive portals: Hotel/airport Wi-Fi sign-ins often block VPN. Temporarily exclude your browser or disable the VPN, complete the portal, then reconnect with your split rules.
CDN & Anycast Drift: If domain split stops working, it may be hitting new IPs. Toggle the VPN or flush the app’s DNS cache so it refreshes the route map.
WebRTC leaks: If your browser is excluded, WebRTC can reveal local and public IPs. Disable WebRTC or force the browser to use the VPN path (inverse split).
LAN discovery breaks: Full-tunnel VPN often blocks mDNS/SSDP broadcast used by printers/Chromecast. Add a split rule to keep 224.0.0.0/4 and your local subnets outside the VPN.
Kill switch blocks “excluded” apps: Use a provider with a policy-aware kill switch; if not available, consider per-app firewalls to emulate it.

How to Use VPN Split Tunneling?

To use split tunneling, you must have a provider that supports it. For this guide, we’ll use NordVPN because it offers split tunneling on multiple platforms. Rest assured, the process is identical to any other split-tunneling-friendly VPN.

Open NordVPN (or any other VPN).
Go to Settings.
Click on Split Tunneling.
Enable Split Tunneling by using the button displayed in the screenshot.
Under “Type”, select whether you want to disable or enable the VPN for selected apps.
Under “Selected Apps”, click on “Add Apps” to add applications that will or won’t use a VPN.
In the new window, select the apps you want and click on “Add Selected.”

Platform specifics (what’s different on each OS)

Windows: Most vendors offer both app and domain split. If you use inverse split, remember to include your browser and torrent client so they never fall back to ISP in case of a VPN hiccup.
macOS: App split is common; domain split depends on provider. If LAN discovery breaks, add your local subnet (e.g., 192.168.1.0/24) to the exclude list.
Android: Pick Only allow selected apps to use VPN or Exclude selected apps. To save battery, exclude heavy streaming apps if privacy isn’t needed for them.
iOS/iPadOS: Consumer split options are limited. If you must split, consider vendor browser extensions for per-site rules, or configure Per-App VPN via MDM profiles (enterprise use).

Performance Tuning Tips

Choose the closest VPN server for apps that remain tunneled to reduce RTT and jitter.
Use WireGuard/NordLynx/Lightway for the tunneled part; they reduce CPU overhead and latency versus OpenVPN.
Clamp MTU/MSS if you see partial loads/timeouts only for tunneled apps: many clients expose an MTU setting; try 1400/1380 then tune upward.
Pin DNS for tunneled apps to the provider’s in-tunnel resolvers to avoid geolocation “bouncing.”

Enterprise Angle: Split Tunneling vs. Zero Trust

In corporate environments, split tunneling intersects with ZTNA (Zero Trust Network Access) and SASE. Rather than granting a flat network route, ZTNA brokers per-app connections based on identity and device posture. From the user’s view, this looks like “split tunneling by default”: Office 365 goes direct, an internal Jira goes via a ZTNA connector, and everything else follows policy. For compliance, inverse split or ZTNA is preferred so nothing sensitive accidentally rides the public path.

Troubleshooting Checklist

App excluded but still slow? Verify it isn’t launching helper processes that are still tunneled. Add all associated processes to the same policy.
“This service not available in your region” after excluding: Clear the app’s cache and sign-in; CDNs may remember previous VPN edges.
Bank blocked my login: Ensure the banking app/site is excluded and DNS for that domain is using your ISP DNS (many clients handle this automatically).
Streaming breaks when the VPN is on: Either fully exclude that streaming domain/app, or choose a dedicated streaming server; mixing can trigger proxy errors.
Nothing resolves when VPN connects: You may have conflicting DNS. Toggle “use only VPN DNS while connected” and re-test; adjust split rules accordingly.

Summary

Split tunneling is immensely useful for preventing or allowing only certain apps/websites to use a VPN tunnel. However, the feature isn’t necessary and is handy only in specific situations where you want to prioritize performance over security or have your native IP visible when using a local site/service. To get it right, think in terms of policy-based routing (what should the OS do with each packet?), DNS binding (which resolver should each query use?), and kill-switch behavior (what to block when the tunnel drops?).

If you’re looking for a great split-tunneling VPN, our recommendations are NordVPN, ExpressVPN, CyberGhost, and ProtonVPN.

FAQ

Is split tunneling safe?

Yes, when used intentionally. Anything you exclude is visible to your ISP and the destination service. Keep sensitive apps (browsers, torrents, messengers) in the tunnel; exclude low-risk local services or apps that must see your real IP (banking).

Will split tunneling fix slow speeds?

It can. Exclude heavy, non-private traffic (OS updates, local CDN, LAN backups) to free VPN bandwidth for sensitive flows. Also switch the tunneled portion to a faster protocol (WireGuard/NordLynx/Lightway).

Why does my printer/Chromecast disappear after enabling the VPN?

Broadcast/multicast discovery doesn’t cross the tunnel. Exclude your local subnets (e.g., 192.168.0.0/16) so LAN devices remain reachable.

What’s the difference between app and site split tunneling?

App split matches by process; site split matches by destination. Site split is great for “send Netflix out of the VPN,” but rotating CDN IPs require the client to refresh routes dynamically.

Does split tunneling work on iOS?

Consumer apps have limited options. iOS supports Per-App VPN via MDM (enterprise). For consumer use, many providers offer domain-level controls in browser extensions as a workaround.

Can I combine split tunneling with a kill switch?

Yes—prefer a policy-aware kill switch that blocks only traffic marked “tunnel required.” Otherwise, you may block excluded apps or leak included ones if the tunnel drops.