DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
VPNs function by tunneling and encrypting your connection, thus keeping your internet activity, location, identity, and IP hidden. Thanks to VPNs, you can unblock geo-locked and censored content, bypass state-wide firewalls, and torrent safely.
While extremely useful, a VPN also prevents you from using (or using properly) certain sites and services. A lot of these sites rely on using your location data and cookies to function – things like shopping websites, banks, dating websites, or airline ticket marketplaces. Other websites block access to VPN connections altogether.
One handy feature solves this problem without making you turn the VPN on and off constantly – split tunneling.
What is split tunneling in the VPN world? Split tunneling allows you to divide or “split” your internet connection into two separate streams. One goes through the encrypted VPN tunnel, while the other functions normally, connecting you to target websites directly.
This lets you enjoy the benefits of using a VPN when accessing some content and the perks of revealing your location data for others. However, this option comes with certain security risks you should be aware of if you decide to use VPN split tunneling.
How Do VPN Connections Work?
To better understand why split tunneling is important and how it works, we should first go over how VPN connections function in the first place.
When using a VPN, your network data is tunneled – i.e., packaged and encrypted – and sent to a VPN server. The server then acts as a proxy and forwards that data to an end-point on the internet (the website or service you’re trying to reach). Once the website sends back data, it goes through the VPN server first and is then sent back to the user.
Tunneling is crucial for establishing a VPN connection: Through a process called encapsulation, VPN tunneling protocols hide your data packets within other packets. This, in turn, keeps important information, like your browsing history and location, hidden from your ISP, hackers, and other parties who might have an interest in spying in on your connection.
Usually, when your VPN is turned on, you’re taking part in full tunneling, meaning that all your outgoing data flows go through an encrypted tunnel. Tunneling itself does not feature any encryption – that part comes from the VPN protocol you’re using.
However, VPN connections are always somewhat slower than connecting to the internet regularly. This is a consequence of both the encryption used (stronger encryptions lead to bigger slowdowns) by the protocol, and your data having to make multiple stops before reaching the target web server.
Without a VPN, your data takes a direct route to the target website, but connecting to the internet normally means foregoing protection offered by the VPN. On the plus side, you get to use the full extent of your bandwidth. Additionally, sites that rely on your location data and cookies can work properly.
How Does Split Tunneling Work?
Split tunneling is a VPN feature offered by a lot of the major VPN service providers. A VPN split tunnel can also be set up through router settings, or tuning options at the OS level. Still, the easiest way by far is to use dedicated VPN apps.
Unfortunately, this often isn’t an option in a corporate context, where VPN connections are most often operated in-house by IT administrators.
As we’ve explained in the introduction, split tunneling works by letting you separate your connection into two parts: One that goes through a VPN tunnel and another that connects to the internet regularly.
But how does split tunneling work in practice? Well, there are several different ways to configure split tunneling, but it nearly always lets you choose which sites/service you want to go through the VPN-encrypted tunnel (with everything else connecting sans VPN) or pick the websites you don’t want VPN to be used for (all other sites will be accessed via VPN).
Now, let’s go over the main VPN split tunneling types.
Regular Split Tunneling
This is the default mode of operation for this feature. When you enable split tunneling, you’ll get to make a list of apps or websites that go through the VPN. Everything else will be accessed regularly through the network. This mode is best used in situations where you need a VPN for select activities.
These could be country-locked websites you have to access for research, Netflix regional libraries you want to watch, or torrent clients you wish to use safely. To avoid firing up the VPN just for those few activities – or torrent and use other sites simultaneously – just toggle on standard split tunneling.
Inverse Split Tunneling
As its name suggests, inverse split tunneling works in the opposite manner. Instead of designating what endpoints will be accessed through a VPN, you designate only those that won’t – all other connections will go through an encrypted tunnel.
This type of split routing is most often used in two cases. In the first one, a user relies on VPNs to keep most of their online activity private but has a few websites they have to access directly.
For example, if you use a VPN for pretty much everything to keep your browsing habits secret, but your banking platform blocks VPN connections, just place the link for the banking site in the inverse split tunneling exclusion list, and you’re all set.
The other scenario is tied to the business sphere. Companies that run private VPN servers aim to keep most business activities protected by a VPN network.
However, when employees access non-work-related sites, they might be using up valuable bandwidth with a protected connection. Network administrators already have the thankless work of having to comb through thousands of different connections to assess resource usage and security risks.
Often, it’s much easier to simply separate non-work connections via an inverse split-tunnel VPN and save time and money. Unfortunately, this leads to security vulnerabilities which we’ll get to in a minute.
URL-Based Split Tunneling
Besides dividing network splitting types by whether the majority of your connections go through a VPN or outside of it, split tunneling types also differ by how these connections are defined.
URL-based split tunneling allows you to make exclusion lists of specific URLs. This means you choose which sites will be accessed through a VPN by pasting their URL address into the list.
App-Based Split Tunneling
App-based split tunneling lets you determine which applications will go through the VPN connection and which won’t. Again, this is extremely useful for apps like Uber, or mobile banking applications you want to reach directly.
On the other hand, with app-based regular split tunneling, you might designate BitTorrent or Netflix to go through a VPN, while everything else functions regularly.
Split Tunneling Is a Security Risk
So far, we’ve covered mainly the good sides of split tunneling – convenience and flexibility. However, there are some split-tunnel VPN security risks you should know about.
These risks or vulnerabilities don’t stem from split tunneling as a feature itself: Unlike certain VPN protocols or encryption techniques, split tunneling doesn’t have built-in weaknesses.
Instead, the risks come from how you use it. More precisely, using split tunneling leaves you more open to attacks because you’re not hiding a part of your connections.
Corporate networks face the brunt of split tunneling risks. In a lot of cases, companies use in-house VPNs and proxy servers to route your connection through a security center and protect the business network from traditional attacks.
However, if some employees are using split tunneling, certain connections are not in a protected network. A lot of the things you might access online, such as regular websites, SaaS platforms, or applications, represent possible cyberattack vectors.
Without the protection of the corporate network’s high-level security, individual users are more likely to be hit by malware.
The problems don’t end there: Cybercriminals often hit one of the user-controlled end-points first, and then use it as a foothold to attack the entire corporate network it connects with. Since a company’s security team has little-to-no control over non-VPN connections, they have a much harder time stopping malware from entering their network this way.
splThis was precisely the method used in the high-profile ransomware attacks that have been shaking up US companies these last two years, although the split tunnel feature wasn’t the source of the issue in those cases.
Individual users are at risk when using split tunneling, too. If you’re using a VPN to remain anonymous online and keep your browsing habits secret, connecting to just a few sites without it could endanger your privacy.
Benefits of Split Tunneling
Split tunneling comes with some clear-cut benefits both for regular users and corporations:
Split tunneling allows you to use sites where security is essential and those where you favor speed at the same time, without constantly turning the VPN client on and off.
One of the main reasons you want to connect directly to most websites is to preserve your original bandwidth. VPNs can seriously impact your connection speed, depending on the provider’s server network, VPN protocol used, and so forth. This especially rings true during bandwidth-hungry activities like online gaming or streaming.
3. Simultaneous Use of Multiple Networks
In the split tunnel vs. full tunnel face-off, a huge advantage split tunneling brings to the table is the ability to connect to multiple networks simultaneously. For example, you can be connected to both the corporate network and your local network at the same time, and use things like printers and other IoT devices without disconnecting from the VPN.
Disadvantages of Split Tunneling
Of course, as discussed previously, there are both pros and cons to VPN split tunneling. While split tunneling is extremely useful, there are a few reasons to stick to a full-tunnel VPN.
The biggest drawback of using split tunneling is how open it leaves you to spying and malware attacks. With one portion of your connections unprotected by a VPN, both individuals and corporate networks stand to lose a lot.
While split tunneling does provide you with extra flexibility, it might take a while to set up. If you have a lot of websites or apps you have to put on the exclusion list, configuring everything can take ages.
3. Difficult Network Monitoring
Even if there were no real security risks to split tunneling, it still makes things difficult for whoever operates your network management software. Auditing all connections is nearly impossible if split tunneling is enabled, leaving room for unauthorized data sharing.
Top 3 VPNs with Split Tunneling
In case you’d like to use the split-tunnel feature, you should know that not all VPN providers offer it. Here, we’ve gathered the three top VPNs that come equipped with split tunneling.
Surfshark is a feature-packed VPN with 3,200 servers in its network. Besides split tunneling (called Bypasser here), Surfshark features a No Borders mode, ad-free browsing, a Kill Switch, and DNS leak protection. On top of that, this VPN provider has a firm No Logs policy, and their subscription plans are almost always discounted.
CyberGhost has one of the biggest VPN server networks around, with over 6,000 servers spread globally. CyberGhost stays true to its name, providing high levels of privacy thanks to top-notch encryption and proprietary NoSpy servers. Besides split tunneling, this VPN provider is great for streaming and torrenting, and works on practically every platform.
ExpressVPN offers one of the quickest VPN services you can find currently. ExpressVPN is ideal for VPN torrenting, as it offers split tunneling and all of its servers are P2P-ready. Coupled with its sizeable network and private DNS on each server, this VPN is a dream come true for privacy-focused users.