'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
What is VPN split tunneling and should I be using it?
What is a Virtual Private Network (VPN)?
A VPN is a service that protects your privacy and security by encrypting your all of your traffic and hiding your IP address. Bad actors (criminals, invasive advertisers, etc.) will see the VPN's IP address instead of yours, if they spy on your online activities. Likewise, anyone attempting to intercept your traffic will find it useless due to built-in encryption. VPNs can also circumvent regional lockouts on online content, letting you stream shows and movies that aren't normally available in your country or region.
For a more information on how VPNs work, read our detailed VPN guide.
What is split tunneling?
Split tunneling is a feature provided by some VPNs that allows you to decide which connected apps, games, and services use the VPN for connectivity, and which use your standard connection. This differs from regular or "full tunnel" VPN setups, which encrypt and reroute all traffic on your system, regardless of origin or destination. Without split tunneling, you'll need to disable your VPN every time you want to use your standard connection and enable it when you want its added security.
Also: What is an IP address and how do you change it with a VPN?
Why should you use split tunneling?
The ability to choose which apps and services use your VPN of choice and which don't is incredibly powerful. Activities like remote work, browsing your bank's website, or online shopping via public Wi-Fi can definitely benefit from the added security of a VPN, but other pursuits, like playing online games or streaming readily available content, can be hurt by the slight delay VPNs may add to your traffic.
Also: How the top VPNs compare
The modest decrease to your connection speed is barely noticeable for browsing, but can be disastrous for online games. Being able to simultaneously connect to sensitive sites and services through your secure VPN, and to non-sensitive games and apps means you won't constantly need to enable and disable your VPN connection when switching tasks. This is important as forgetting to enable it at the wrong time could leave you exposed to security risks.
How does split tunneling work?
Split tunneling divides your network traffic in two. Your standard, unencrypted traffic continues to flow unimpeded down one path, while your sensitive and secured data gets encrypted and routed through the VPN's private network. It's like having a second network connection that's completely separate, a tiny bit slower, but also far more secure.
What are the different types of split tunneling?
There are three main types of split tunneling: URL-based, app-based, and inverse
URL-based split tunneling targets traffic being routed to specific URLs, encrypting only that traffic. This type of setup could be configured to encrypt all traffic directed toward your bank's website, your office's sign-in and HR pages, or your medical providers' portal. Any traffic tied to a specific URL can be filtered in this way, while traffic to any unspecified URLs remains on your standard connection. Many VPNs offer a browser extension to help users set which URLs will be encrypted.
App-based split tunneling is nearly identical to the URL-based variety, but it filters the traffic of specific apps, rather than specific URLs. A few coordinating examples would be logging into your bank's mobile app, accessing your company's Slack, or using your medical insurance providers' telehealth software. An app-based split tunneling setup will encrypt any traffic associated with those apps, while less sensitive data, like your TikTok scrolling, would stay unencrypted. It's particularly useful for use with mobile device VPN installations.
Inverse split tunneling is best for people that want nearly all of their traffic encrypted. The above two options leave your traffic unencrypted unless you specifically add it to their encryption lists. Inverse split tunneling does the opposite by encrypting everything on your system by default. Anything you don't want encrypted will then need to be specified. To continue the above examples, your banking, work, and medical traffic would automatically be encrypted, while your TikTok activity would need to be manually set to use an unencrypted connection.
How do I choose which traffic goes through the VPN and which doesn't?
Deciding this is a simple matter of asking yourself three questions. Once you answer these questions, listed below, you'll know which route to allow that specific app, site, or service to take.
Also: The fastest VPNs: Get great speeds without sacrificing security
1) Does this app, site, or service interact with private or sensitive data? This includes things like financial information, personal and medical data, log-in credentials, two-factor authentication, and even photos of your family.
Yes -- You should almost certainly use your VPN for this data to protect it from bad actors.
No -- It's probably safe to transmit over your standard, open network.
2) Am I trying to access content that isn't available in my country or region? One popular use for VPNs is to gain access to streaming media that isn't normally available in your region.
Yes -- You'll want to route your traffic through your VPN, specifically through an available region where the content you want to watch is available.
No -- VPNs typically don't provide any benefit for basic streaming that was already available in your area. Skip it.
3) Does my current activity require the best possible speed? Activities like online gaming and certain high-resolution video streams will suffer from even the very slightly degraded speeds provided by the fastest VPNs.
Yes -- Skip the VPN unless you absolutely need it. Even excellent VPN services introduce a little latency and reduce speeds slightly. It could ruin a highly competitive game, or 4K video stream.
No -- Feel free to use your VPN's connection.
What are the benefits of VPN split tunneling?
- Never having to enable or disable your VPN when switching between activities that need to be secured by it and those that don't.
Keeping your remote work activities secure while your private activities remain on your standard network.
Helping you access region-locked streaming media content without impacting all of your traffic.
Enjoying the full speed of your standard connection for things like games and readily available streaming content, while also securing sensitive data.
Are there any risks when using split tunneling?
As with almost any technology, split tunneling comes with a few inherent risks, most of which can be mitigated.
Also: Best VPN for streaming: Unlock Hulu, Netflix, and more
The most common risk is a DNS leak. Without delving into the technical details, a DNS leak happens when you unintentionally expose the details of your traffic to bad actors. A full tunnel VPN deployment encrypts everything, while split tunneling encrypts only a portion. This means there's always a risk, however small, that some traffic that should have been encrypted will remain unsecured. This can be mitigated by ensuring that you've correctly configured which apps, sites, and services use your VPN and which don't.
Poor configuration is behind most DNS leaks, which are caused by users being unaware that they're leaving sensitive data exposed. For those worried that they may forget to secure something sensitive, inverse tunneling is a great option due to it encrypting everything by default, with only the apps and sites you manually choose reverting to your standard network.
Split tunnel vs. full tunnel: What's the difference?
A full tunnel connection is really just another word for a standard VPN. This means all of your traffic will travel across the private network, and be encrypted. Split tunneling, as defined above, routes only a portion of that traffic, which it encrypts, through the VPN's private network. The remainder travels across your standard network connection, remaining encrypted unless affected by other services or security measures.
Which VPNs support split tunneling?
Below is a list of the VPNs we've confirmed support split tunneling. We also highly recommend checking your VPN provider's websites for specific information on their split tunneling support.
Also: The best cheap VPNs
You can find reviews and additional coverage for most of these providers by clicking on their names below.
- ExpressVPN
- NordVPN
- Surfshark
- Private Internet Access
- ProtonVPN
- CyberGhost
- IPVanish
- PureVPN
- Atlas VPN
- Ivacy