VPN Split Tunneling
What is VPN Split Tunneling?
VPN Split TunnelingA VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly.
Split tunneling is configured on VPN clients (OpenVPN, WireGuard, IKEv2, Cisco AnyConnect, Windows Always On VPN, ZTNA agents) so that only specific destinations - typically internal IP ranges, DNS suffixes, or applications - traverse the encrypted tunnel. All other traffic uses the local internet uplink. The benefit is reduced VPN concentrator load, lower latency for SaaS, and avoidance of double-NAT for cloud services. The drawbacks are real: the endpoint is simultaneously on a trusted network and the public internet, which weakens the security boundary, complicates DLP and inspection, and can leak DNS via the local resolver. Modern designs counter this with full-tunnel for managed devices, ZTNA per-application policies, secure DNS to a corporate resolver, and EDR on every endpoint.
● Examples
- 01
A WireGuard client routing only 10.0.0.0/8 through the corporate tunnel and sending Zoom traffic directly to the internet.
- 02
Microsoft 365 split-tunnel guidance that excludes Exchange, SharePoint, and Teams optimized endpoints from the corporate VPN.
● Frequently asked questions
What is VPN Split Tunneling?
A VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly. It belongs to the Network Security category of cybersecurity.
What does VPN Split Tunneling mean?
A VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly.
How does VPN Split Tunneling work?
Split tunneling is configured on VPN clients (OpenVPN, WireGuard, IKEv2, Cisco AnyConnect, Windows Always On VPN, ZTNA agents) so that only specific destinations - typically internal IP ranges, DNS suffixes, or applications - traverse the encrypted tunnel. All other traffic uses the local internet uplink. The benefit is reduced VPN concentrator load, lower latency for SaaS, and avoidance of double-NAT for cloud services. The drawbacks are real: the endpoint is simultaneously on a trusted network and the public internet, which weakens the security boundary, complicates DLP and inspection, and can leak DNS via the local resolver. Modern designs counter this with full-tunnel for managed devices, ZTNA per-application policies, secure DNS to a corporate resolver, and EDR on every endpoint.
How do you defend against VPN Split Tunneling?
Defences for VPN Split Tunneling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for VPN Split Tunneling?
Common alternative names include: Split tunnel, Selective VPN routing.
● Related terms
- network-security№ 1213
VPN Kill Switch
A safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection.
- network-security№ 042
Always-On VPN
A device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles.
- privacy№ 339
DNS Leak
A privacy failure in which DNS queries bypass a VPN or Tor tunnel and are sent to the user's ISP or default resolver in cleartext.
- network-security№ 556
IPsec
A suite of IETF protocols that authenticates and encrypts IP packets to provide secure communications at the network layer.
- network-security№ 1244
WireGuard
A modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.