By default, a VPN tunnels all of your internet traffic through an encrypted connection to the VPN server. Split tunneling changes this: you can specify that only certain apps or certain destinations go through the VPN, while everything else uses your regular internet connection. This sounds like a convenience feature, but it has real privacy and security implications worth understanding before you enable it.
What Split Tunneling Is and Why It Exists
The most common reasons people use split tunneling:
- Local network access: A full VPN tunnel blocks access to local devices like NAS drives, printers, or smart home devices. Split tunneling lets local traffic bypass the VPN.
- Speed-sensitive applications: Video streaming or gaming at full bandwidth without VPN latency, while sensitive browsing still goes through the tunnel.
- Work VPN coexistence: You might need your work VPN for work traffic and a personal VPN for personal traffic simultaneously.
- Geo-specific services: Some streaming services block VPN exit IPs. You can exclude those apps from the tunnel while everything else is protected.
Route-Based vs App-Based Split Tunneling
There are two fundamentally different ways split tunneling is implemented:
App-based split tunneling lets you whitelist or blacklist specific applications. Traffic from whitelisted apps bypasses the VPN; everything else goes through. This is the most common implementation in commercial VPN apps (Mullvad, ProtonVPN, ExpressVPN).
Route-based split tunneling works at the network layer. You specify IP ranges or subnets that should bypass the VPN. Traffic to those IPs goes direct; everything else is tunneled. This is the approach used in WireGuard’s AllowedIPs configuration.
Most users want app-based; network engineers and self-hosters often prefer route-based for its precision.
Split Tunneling in Mullvad VPN
Mullvad implements app-based split tunneling on Windows, macOS, and Linux.
- Open the Mullvad app.
- Navigate to Settings > Split Tunneling.
- Toggle on Enable split tunneling.
- Choose your mode:
- Exclude apps from VPN: Listed apps bypass the tunnel; everything else is protected. (Recommended)
- Only include apps in VPN: Listed apps are tunneled; everything else goes direct. (Useful if you have one or two apps that need protection)
- Add apps using the Add Application button.
Example use case: You want your browser and messaging apps tunneled, but Steam and game clients go direct for latency.
- Mode: Exclude apps from VPN
- Add: Steam, your game launchers
Mullvad also supports split tunneling by IP range on Linux via the CLI:
mullvad split-tunnel add IPRANGE
# Example: route local network traffic direct
mullvad split-tunnel add 192.168.1.0/24
Split Tunneling in ProtonVPN
ProtonVPN’s split tunneling is available on Windows, Android, and (partially) macOS.
Windows:
- Open ProtonVPN > Settings > Connection.
- Enable Split Tunneling.
- Choose Standard (exclude specific apps/IPs) or Inverse (include only specific apps/IPs).
- Add apps or IP ranges to exclude or include.
Android:
- Settings > Split Tunneling.
- Choose apps to exclude from the VPN tunnel.
ProtonVPN does not currently support app-based split tunneling on macOS due to Apple’s network extension restrictions. You can use IP-based split tunneling as an alternative.
Split Tunneling with WireGuard
WireGuard’s split tunneling is configured through the AllowedIPs directive in the peer configuration. By default, WireGuard routes all traffic through the tunnel (AllowedIPs = 0.0.0.0/0, ::/0). To split tunnel, replace this with specific CIDRs.
Route only specific subnets through the VPN:
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
# Only RFC 1918 private ranges go through the tunnel
# Public internet goes direct
Route everything EXCEPT local network through the VPN:
The “exclude local” pattern requires calculating the inverse of your local subnet. An easier approach uses wg-quick’s PostUp scripts to add and remove routes.
There is a helpful tool called WireGuard AllowedIPs Calculator for computing inverse routes.
Full tunnel with local network bypass:
[Interface]
Address = 10.66.66.2/32
DNS = 10.66.66.1
PostUp = ip route add 192.168.1.0/24 via %i
PreDown = ip route del 192.168.1.0/24 via %i
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
This routes everything through the tunnel but adds a static route for 192.168.1.0/24 that bypasses the tunnel.
Privacy Risks of Split Tunneling
Split tunneling introduces several risks that users often overlook:
DNS leaks: If excluded apps make DNS queries, those queries may go to your ISP’s resolver rather than through the VPN’s resolver. Configure your system DNS to a privacy-respecting resolver (Mullvad’s DNS, Control D, etc.) independently of the VPN to mitigate this.
Traffic correlation: An adversary watching both your ISP connection and the VPN exit can correlate timing of tunneled and non-tunneled traffic to identify you. If your threat model includes this, do not use split tunneling.
App-to-app data leakage: A tunneled app might share data with an excluded app (via clipboard, inter-process communication, or shared libraries) that then exfiltrates it over the direct connection. This is a minor risk for most users but real for high-sensitivity environments.
WebRTC leaks: Browser WebRTC connections can bypass the VPN tunnel in some configurations. Disable WebRTC in your browser or use an extension like uBlock Origin (which blocks WebRTC by default in medium mode).
When to Use Split Tunneling
| Scenario | Recommended Mode |
|---|---|
| Local NAS/printer access | Exclude local subnet (route-based) |
| Gaming + private browsing | Exclude game clients (app-based) |
| Work VPN + personal VPN | Include only work apps in work VPN |
| Streaming specific services | Exclude streaming apps (app-based) |
| Maximum privacy | Do not use split tunneling |
Split tunneling is a power-user feature. If you enable it without understanding what is and is not tunneled, you risk creating gaps in your privacy posture. Configure it deliberately, verify with a DNS and IP leak test after setup, and revisit the configuration when you install new apps.