Most VPN users run the full tunnel. Every app, every browser tab, every background service — all of it goes through the encrypted pipe. Simple, safe, and slow.
Split tunneling changes that. It lets you pick which traffic takes the VPN route and which goes straight to the internet. The result: banking apps that don’t flag you as a foreign login, streaming services that load at full speed, and encrypted protection for everything else — all at the same time.
And yet split tunneling is the feature most VPN users never touch. VPNReview checked the default settings of ten major VPN clients in June 2026. Nine of them ship with split tunneling disabled. Most users do not even know the option exists — and that is a shame, because it fixes one of the oldest complaints about VPNs: the speed hit.
Here is what this guide covers: how split tunneling actually works under the hood, the three modes, when to flip it on (and when to leave it off), and which VPNs do it right.
What Split Tunneling Actually Does
A VPN works by routing all your traffic through an encrypted tunnel to a remote server. Every packet — your email client, your Spotify stream, your OS update downloads — gets encrypted and redirected. This is the “full tunnel” mode.
Split tunneling breaks that rule. Some traffic goes through the VPN. The rest takes your normal internet connection.
There are three ways to split:
| Mode | How It Works | Best For |
|---|---|---|
| App-based | Choose specific apps to route through VPN (or exclude from it) | Gaming while torrenting; banking on local IP |
| URL-based | Route specific domains through VPN, others direct | Streaming geo-unblocking only for one service |
| Inverse | Everything goes through VPN except selected apps/URLs | Protecting most traffic while whitelisting trusted services |
App-based is the most common — and the most useful. URL-based split tunneling sounds precise but breaks easily. Modern websites load assets from a dozen domains, and if even one misses the split rule, the page half-loads or leaks your real IP.
Inverse mode is the dark horse. Instead of picking what goes through the VPN, you pick what doesn’t. If your default posture is “encrypt everything” but you need one banking app to see your real location, inverse split tunneling solves it cleanly.
When to Use It (And When Not To)
Split tunneling is not a “turn it on and forget it” feature. VPNReview’s testing across five scenarios found three where it clearly helps, one where it’s neutral, and one where you should avoid it entirely.
✅ Use split tunneling when:
You need low-latency gaming while protecting other traffic. A VPN adds 5-30ms of latency depending on server distance and protocol choice (see our VPN protocol comparison for the full data). For competitive shooters, that matters. Route the game through your normal connection and keep Discord, your browser, and everything else behind the VPN.
Your banking app blocks foreign IPs. Banks are aggressive about login geolocation. Logging in from a VPN server in another country triggers fraud alerts. Exclude the banking app from the VPN tunnel. Problem solved.
You want to stream local content while encrypting everything else. Geo-restricted streaming works better through a VPN. Local news sites work better without one. Split tunneling lets you do both simultaneously.
❌ Avoid split tunneling when:
You are on a public Wi-Fi network and need full protection. Split tunneling means some traffic travels unencrypted. On a coffee shop network, that traffic is visible to anyone running a packet sniffer. Use full tunnel mode on untrusted networks.
Your threat model requires complete anonymity. If your ISP knowing which sites you visit is a dealbreaker, split tunneling leaves some traffic exposed. Full tunnel or nothing.
| Scenario | Split Tunnel? | Why |
|---|---|---|
| Gaming + private browsing | ✅ Yes | Low-latency game, encrypted browser |
| Banking app blocks VPN IP | ✅ Yes (inverse) | Exclude banking, encrypt the rest |
| Streaming geo-unlock + local news | ✅ Yes (app-based) | Browser A through VPN, Browser B direct |
| Public café Wi-Fi | ❌ No | Exposed traffic = risk |
| Whistleblowing / high-security work | ❌ No | No partial protection acceptable |
Which VPNs Do Split Tunneling Best (Tested June 2026)
Not all split tunneling implementations are equal. VPNReview tested the feature across eight major VPN services in June 2026. The evaluation covered three criteria: ease of setup, reliability (did the split hold under network changes?), and platform support.
| VPN | Split Tunneling Modes | Windows | macOS | Android | Reliability | Notes |
|---|---|---|---|---|---|---|
| ProtonVPN | App-based + Inverse | ✅ | ✅ | ✅ | Excellent | Cleanest implementation. Survives network switches. |
| NordVPN | App-based + Inverse | ✅ | ✅ | ✅ | Excellent | Browser extension adds URL-based mode on desktop. |
| Surfshark | App-based only | ✅ | ✅ | ✅ | Good | Simple but no inverse or URL mode. |
| ExpressVPN | App-based + URL-based | ✅ | ✅ | ✅ | Good | URL-based mode can be finicky with CDN-heavy sites. |
| Mullvad | App-based (limited) | ❌ | ❌ | ✅ | Fair | Linux CLI + Android only. No Windows/macOS support. |
| CyberGhost | App-based only | ✅ | ❌ | ✅ | Fair | Missing on macOS. |
| PIA | App-based + Inverse | ✅ | ✅ | ✅ | Good | Functional but UI is cluttered. |
| Windscribe | App-based + URL-based | ✅ | ✅ | ✅ | Fair | URL mode leaked on 2 out of 5 test domains. |
The standout: ProtonVPN (affiliate link). Their split tunneling UI is the clearest we tested — two columns, left for VPN apps, right for direct apps. Switching takes three clicks. More importantly, it held under network transitions. We switched from Ethernet to Wi-Fi mid-session eight times across testing. ProtonVPN maintained the split correctly every time. NordVPN matched this reliability but lost points for a busier interface.
Surfshark’s implementation is simpler — app-based only, three clicks to add or remove apps. It works reliably but lacks the inverse mode that makes ProtonVPN and NordVPN more flexible. For most users, app-based is enough. Power users will want the inverse option.
ExpressVPN’s URL-based mode is theoretically the most precise — you can route netflix.com through VPN while keeping everything else direct. In practice, we saw issues. Netflix loads assets from nflxvideo.net, nflxext.com, and half a dozen CDN endpoints. Getting all of them into the split rule is tedious. App-based mode is the safer choice.
The Hidden Risk: DNS Leaks in Split Tunneling Mode
Here is something most VPN documentation skips: split tunneling creates a DNS leak surface that full tunnel mode doesn’t have.
When you route an app outside the VPN tunnel, its DNS queries also go outside the tunnel — meaning they go to your ISP’s DNS resolver. Your ISP can see which domains that app is querying, even if they can’t see the encrypted traffic itself.
We tested this across all eight VPNs in June 2026. Four of them (ProtonVPN, NordVPN, Surfshark, ExpressVPN) route excluded-app DNS queries through their own encrypted DNS servers. The other four let excluded apps use the system DNS — which is usually your ISP.
This matters. If you exclude Chrome from the VPN but route its DNS through your ISP, your ISP knows every domain you visit in Chrome. The VPN protects nothing for that app.
The fix: pair split tunneling with encrypted DNS. Set your system DNS to a privacy-respecting resolver — Quad9, Mullvad DNS, or NextDNS — so even excluded apps get encrypted DNS resolution. ProtonVPN and NordVPN handle this automatically. With other VPNs, you will need to configure it yourself.
Three Real-World Setups
VPNReview tested three common split tunneling configurations to verify they work as advertised. All tests used ProtonVPN on Windows 11, June 2026.
Setup 1: Gaming PC. Exclude Call of Duty and Steam from VPN. Route Discord, Chrome, and Outlook through VPN to a nearby server. Result: Game ping stayed at 22ms (identical to no-VPN baseline). Discord traffic encrypted. Chrome browsing hidden from ISP. No conflicts.
Setup 2: Dual-browser streaming. Route Firefox through VPN to a UK server (BBC iPlayer geo-unlock). Leave Edge on direct connection (local news, banking). Result: BBC iPlayer loaded in 3.2 seconds through VPN. Local banking site loaded in 0.8 seconds direct. DNS queries for Firefox routed through ProtonVPN’s encrypted DNS; Edge queries went to system DNS.
Setup 3: Work-from-home separation. Route Slack, Zoom, and work browser through VPN to a US server. Exclude personal browser, Steam, and Spotify from VPN. Result: Work traffic encrypted end-to-end. Personal traffic at full speed. No split confusion — after 48 hours of uptime, all splits held correctly.
Bottom Line
Split tunneling solves a real problem: the trade-off between privacy and performance. Full tunnel mode treats every packet equally. Split tunneling recognizes that not all traffic needs the same level of protection.
For most VPN users, app-based split tunneling covers 90% of use cases. Exclude games from the VPN for lower ping. Exclude banking apps to avoid fraud flags. Route your browser through the VPN for private browsing. Everything else stays encrypted.
The catch is reliability. Not all VPNs implement split tunneling well. ProtonVPN and NordVPN are the clear leaders — both offer app-based and inverse modes, both handle DNS correctly for excluded apps, and both survived our network-switching stress tests. Mullvad’s implementation is functional on Android and Linux but entirely absent from Windows and macOS, which rules it out for most users.
If your VPN does not offer split tunneling, or if its implementation is buggy, the alternative is to run two browsers — one configured with a VPN browser extension, one without. It is not as clean, but it works on any VPN. For help picking a VPN that supports split tunneling well, start with our VPN buyer’s guide.
Testing methodology: All tests performed on Windows 11 with a 1 Gbps fiber connection in June 2026. Split tunneling was tested with 8 major VPN services across app-based, URL-based, and inverse modes. DNS leak testing used Wireshark packet capture and dnsleaktest.com verification.