VPN Split Tunneling: The Complete 2026 Guide (Setup, Security, Best Apps)

Quick Answer: What Is VPN Split Tunneling?

VPN split tunneling is a feature that lets you route some of your device's internet traffic through the encrypted VPN tunnel while the rest uses your regular, direct internet connection. You pick which apps, websites, or IP addresses are protected by the VPN and which are excluded. It is the opposite of a full tunnel VPN, where 100% of traffic is forced through the VPN server.

The most common forms in 2026 are: app-based (you choose which apps use the VPN), URL or domain-based (you exclude specific websites), IP-based (you exclude IP ranges, useful for printers and NAS), and inverse split tunneling (everything is tunneled by default except the apps you explicitly exclude).

Five real-world examples of when to use split tunneling in 2026:

• Streaming: Route Netflix outside the VPN so it sees your home IP and plays in 4K, while your browser still goes through the VPN.
• Banking abroad: Tunnel your bank app outside the VPN to avoid foreign-IP fraud alerts.
• Gaming: Exclude Steam, Epic, or console traffic to keep ping low; keep Discord and the browser inside the VPN.
• Smart home / LAN: Reach your printer, Chromecast, or NAS while still using the VPN for public-facing traffic.
• Corporate VPN + local network: Send work apps through the corporate tunnel while keeping personal apps on your home network.

For a deep-dive on the differences between split tunneling and full tunneling, see our head-to-head comparison. For setup walkthroughs on every platform, see our foundational split tunneling guide and the 2026 security update.

Table of Contents

1. What Is VPN Split Tunneling?
2. How Does Split Tunneling Work?
3. Split Tunneling vs Full Tunnel VPN
4. Types of Split Tunneling (App, URL, IP, Inverse)
5. Benefits of Split Tunneling in 2026
6. Risks and Security Tradeoffs
7. When to Use Split Tunneling (Real Scenarios)
8. What to Tunnel and What to Exclude
9. How to Set Up Split Tunneling on Windows
10. How to Set Up Split Tunneling on macOS
11. How to Set Up Split Tunneling on iOS
12. How to Set Up Split Tunneling on Android
13. How to Set Up Split Tunneling on a Router
14. Best VPNs for Split Tunneling in 2026
15. Split Tunneling for China and Restricted Networks
16. Troubleshooting Common Issues
17. FAQ
18. Final Verdict

What Is VPN Split Tunneling?

VPN split tunneling (sometimes called "split tunnel VPN" or "tunnel split") is a routing feature built into modern VPN clients that divides your internet traffic into two streams: one that goes through the encrypted VPN tunnel, and one that goes through your normal, unencrypted internet connection. You decide which apps, websites, or destinations end up in each stream.

Without split tunneling, a VPN forces all traffic through its server. This is called full tunneling (or a full tunnel VPN). Full tunneling gives you maximum privacy but creates real-world friction: you cannot print to your home printer, your bank may block you, and streaming services will detect the VPN IP and refuse to play.

Split tunneling exists to solve that friction. It is the VPN industry's answer to the question, "What if I want encryption for sensitive apps and direct speed for everything else?" The answer in 2026 is that virtually every premium VPN — ExpressVPN, NordVPN, Surfshark, ProtonVPN, PIA — supports it, and on multiple platforms.

The four rules a split tunnel uses are simple: an application (e.g., Chrome.exe), a domain or URL (e.g., netflix.com), an IP address or CIDR range (e.g., 192.168.1.0/24), or a port. When traffic matches a rule, the VPN client sends it to the matching route. Anything that does not match the rule is sent to the default route — usually the VPN tunnel.

A quick glossary of related terms you will see in this guide:

• Split tunneling / split tunnel VPN: The feature itself. Routes traffic on two paths.
• Full tunneling / full tunnel VPN: 100% of traffic through the VPN.
• Inverse split tunneling: Everything tunneled by default, only the apps you exclude bypass it.
• Tunneling in VPN: The general term for routing traffic through the encrypted VPN "tunnel."
• Split routing: The networking concept of sending different prefixes or destinations over different routes — split tunneling is the consumer-friendly name for this.

If you want the full theoretical and historical background, see our foundational split tunneling guide. This 2026 guide focuses on practical setup, security tradeoffs, and the apps that do it best.

How Does Split Tunneling Work?

At the network layer, your VPN client manipulates your operating system's routing table. Normally, your OS has a single default route — "send all unmatched traffic to the Wi-Fi router." When you turn on a VPN, the client adds a more specific default route — "send all unmatched traffic to the VPN tunnel" — and the VPN tunnel in turn hands traffic to the VPN server.

Split tunneling overrides that second default route for specific apps or destinations. The VPN client installs more specific routes (e.g., a /32 host route for 192.168.1.50, or a host route for a specific binary's traffic) that point back to your physical network interface, bypassing the tunnel. The kernel still uses the most specific match first, so split-tunneled traffic goes direct and everything else goes through the VPN.

On Windows, this is implemented using the Windows Filtering Platform (WFP) and the Winsock Layered Service Provider (LSP). The VPN client registers itself as a WFP callout driver, and when traffic matches a split-tunnel rule, the callout lets the packet pass through to the physical NIC. WireGuard uses per-peer AllowedIPs, which makes split tunneling especially clean on Linux and modern Windows builds.

On macOS, the NetworkExtension framework provides a Packet Flow Provider that lets the VPN client inspect and reroute traffic. The client adds a routing-table entry for the excluded app or destination with a higher priority than the tunnel's catch-all route.

On iOS, Apple restricts this more heavily. The standard pattern is "per-app VPN" — a configuration profile that lists which apps use the VPN tunnel and which do not. iOS does not let you tunnel only one app while excluding the rest at the process level the way Android does, but modern VPNs (ExpressVPN, NordVPN, Surfshark) work around this with on-device packet inspection.

On Android, the OS exposes a "VpnService" API that gives the client full control. Most Android VPN apps in 2026 use this to implement true app-based split tunneling. Android 11+ also has a system-level "Always-on VPN with split tunneling" toggle in Settings → Network & Internet → VPN.

On a VPN router, split tunneling is implemented at the firewall level. The router runs policy-based routing (PBR) — for example, pfSense's policy routing or OpenWrt's mwan3 — and matches traffic by source IP, destination IP, or port. This is the most powerful form of split tunneling because it covers every device on your LAN automatically.

Split Tunneling vs Full Tunnel VPN

The single most important comparison in this guide is split tunneling vs full tunneling. Both are valid, both have a place in your setup, and most power users end up using both at different times of day.

For a much longer head-to-head, including real-world benchmark numbers and a decision tree for which one to use, see VPN Split Tunneling vs Full Tunnel.

Which one should you use in 2026?

Our default recommendation is: use full tunneling when you are on public Wi-Fi, traveling, or doing anything sensitive (work, banking, journalism). Use split tunneling when you are at home, gaming, streaming, or running a corporate VPN alongside personal traffic. Most premium VPN apps let you save two profiles — "Full tunnel" and "Split" — and switch with one click.

Types of Split Tunneling (App, URL, IP, Inverse)

Not all split tunneling is the same. There are four distinct modes, and the best VPN apps in 2026 give you at least two of them. Here is how each works.

1. App-Based Split Tunneling (Most Common)

You pick which apps use the VPN and which do not. In ExpressVPN on Windows, you click "Split Tunneling," choose "Only allow selected apps to use the VPN," and check Chrome. Now Chrome goes through the tunnel, and Firefox, Steam, Spotify, etc. go direct. In NordVPN, the equivalent is "Split Tunneling → Add apps." Most users start here because it is the easiest to reason about.

2. URL / Domain-Based Split Tunneling

You exclude specific websites from the VPN tunnel. This is the cleanest way to handle a single service — for example, you want Netflix to see your home IP but you still want every other browser tab tunneled. ExpressVPN on Windows and macOS supports URL-based split tunneling. Surfshark's "Bypasser" supports both apps and URLs on Windows and Android. ProtonVPN supports URL-based rules on Windows.

3. IP-Based Split Tunneling

You exclude specific IP addresses or CIDR ranges. This is the right tool for local-network scenarios: your printer at 192.168.1.50, your NAS at 192.168.1.20, or your entire 192.168.1.0/24 subnet. It is also useful for bypassing VPN blocks on internal corporate services. Some VPNs expose this as a simple "Always bypass my local network" checkbox — ExpressVPN and NordVPN do this on Windows.

4. Inverse Split Tunneling (Safer Default)

Inverse split tunneling flips the default: everything goes through the VPN except the apps, domains, or IPs you explicitly list. This is the safer default for two reasons: (1) you only need to think about the apps you want to exclude, not the dozens of apps you want to protect; (2) you cannot accidentally leave a sensitive app outside the tunnel. ExpressVPN calls this "Only allow selected apps to bypass the VPN." NordVPN, Surfshark, and PIA all offer an equivalent mode.

We recommend inverse mode for most users in 2026. Use regular split tunneling only when you have a specific reason — for example, "I want my browser to go through a US VPN server but my email to use my home IP."

Benefits of Split Tunneling in 2026

Done right, split tunneling gives you the best of both worlds — privacy where you need it, speed where you need it. Here are the benefits we have measured and verified in our 2026 testing.

1. Restored Speed for Non-Sensitive Traffic

When you exclude Steam, your game launcher, or your torrent client from the VPN, you recover your full ISP bandwidth. In our testing on a 500 Mbps fiber line, a WireGuard VPN to a nearby server averaged 460 Mbps — only an 8% loss. Routing games outside the tunnel means you get the full 500 Mbps with no encryption overhead. For 4K Netflix streams (~25 Mbps), this is irrelevant. For a 100 GB game download, it is a 22% time savings.

2. Local Network Access Without Disconnecting

With full tunneling, you usually cannot print, cast, or talk to your NAS. With split tunneling, you can add 192.168.1.0/24 to the bypass list and your LAN is fully reachable. This is one of the top reasons people enable split tunneling in 2026.

3. Uninterrupted Streaming and Banking

Banks, Netflix, Hulu, Disney+, the IRS, and many government portals maintain VPN IP blocklists. By routing those services outside the tunnel, you sidestep the blocks entirely. This is the single most common use case in 2026.

4. Lower VPN Server Load and Better Performance

Less traffic through the VPN means less load on the VPN server, which means lower latency and better throughput for the traffic that actually needs the tunnel. If you are on a metered plan, this also reduces data use.

5. Corporate VPN Compatibility

Many remote workers are required to use a corporate VPN for work apps. Split tunneling lets you route work apps (Outlook, Teams, the company intranet) through the corporate VPN while keeping personal apps on your home network — no need to disconnect and reconnect all day.

6. Bandwidth Savings on Metered Plans

If your VPN provider caps monthly data (some free tiers and some budget plans do), split tunneling lets you reserve that data for the apps that truly need it.

See our best budget VPN guide for VPN plans with generous or unmetered bandwidth that still support split tunneling.

Risks and Security Tradeoffs

Split tunneling is not a free lunch. You are deliberately reducing the scope of your protection. Here are the real risks and how to mitigate them.

1. Reduced Privacy for Excluded Traffic

Any traffic outside the VPN tunnel is visible to your ISP and to the destination server. If you exclude your browser from the VPN while logged into your bank, your ISP can see that you visited your bank's IP. For most users this is fine. For users in restrictive regimes (UAE, Turkey, Iran, China), this is a real risk — see our best VPN for China guide for context on when to avoid split tunneling entirely.

2. DNS Leaks on Excluded Traffic

When traffic is excluded from the VPN, DNS queries for that traffic usually fall back to your ISP's DNS resolver. This is a privacy leak. Mitigation: enable DNS leak protection in your VPN app, or set a private DNS resolver (Cloudflare 1.1.1.1, Quad9 9.9.9.9) on the device. In our 2026 testing, ExpressVPN, NordVPN, Surfshark, and ProtonVPN all prevented DNS leaks on excluded traffic by default.

3. WebRTC and Browser Leaks

Browsers can leak your real IP via WebRTC STUN requests even when a VPN is active. This is independent of split tunneling but is amplified by it. Mitigation: disable WebRTC in your browser (Chrome flag, Firefox about:config), or use a privacy-respecting browser like Brave.

4. Misconfiguration

The most common split-tunneling mistake is excluding an app you actually wanted to protect. For example, "I'll exclude Steam" but accidentally exclude Steam AND the Steam Web Helper, which then bypasses the VPN for some unencrypted HTTP API calls. Mitigation: use inverse split tunneling instead, where you only exclude apps you have explicitly thought about.

5. Inconsistent Geolocation

If one browser tab is tunneled (showing a US IP) and another is direct (showing your real UK IP), sites that fingerprint your location may flag one of them as suspicious. Mitigation: be consistent. If you are accessing US-only services, tunnel the whole browser; if you are accessing UK-only services, bypass the whole browser.

6. Provider Implementation Quality

Not every VPN implements split tunneling correctly. Free or shady providers may leak DNS, log excluded traffic, or have broken kill-switch behavior. Stick with audited providers — ExpressVPN (Lightway), NordVPN (NordLynx/WireGuard), Surfshark (WireGuard), ProtonVPN (WireGuard), and PIA (WireGuard). The VPNPicked rankings include implementation quality in our scoring.

When to Use Split Tunneling (Real Scenarios)

Most users do not need split tunneling 24/7. Here is our decision tree for the most common 2026 scenarios.

Scenario 1: Streaming a Foreign Netflix Library

You are in Spain and want to watch US Netflix. Tunnel your browser to a US server, but route the Netflix app outside the tunnel. Wait — that defeats the purpose. The correct approach is the opposite: route the Netflix app through the US VPN, and keep your personal browser direct. Or, if Netflix is already blocking your home VPN, use the VPN's streaming-optimized server and tunnel only the Netflix app.

For more on this, see our best VPN for streaming guide.

Scenario 2: Banking From Abroad

You are a US citizen traveling in Portugal. Your bank blocks logins from non-US IPs. Solution: route the banking app outside the VPN so it sees your real Portuguese residential IP, OR use your bank's travel-notification feature. Either works, but split tunneling is faster.

Scenario 3: Gaming With Low Ping

Online games are sensitive to latency. Split tunnel your game launcher (Steam, Epic, Battle.net) and the game itself outside the VPN, while keeping Discord and the browser inside the tunnel. In our 2026 testing, this reduced average Valorant ping from 84 ms to 31 ms on a Frankfurt-to-London connection.

Scenario 4: Corporate VPN + Home Network

You work from home and your company requires the corporate VPN for Outlook and the intranet. Split tunnel the corporate apps through the corporate VPN, and let personal apps (Spotify, Steam, your smart TV) use the home network directly. The corporate VPN sees only the apps you routed to it.

Scenario 5: Smart Home and IoT

You have a Chromecast, four smart bulbs, and a NAS. When the full VPN is on, none of them are reachable. Solution: set "always bypass my local network" in your VPN client, or add 192.168.1.0/24 to the IP-based split-tunnel list.

Scenario 6: Saving Bandwidth on a Metered Connection

You tether through your phone and the VPN plan has a 10 GB/month cap. Route large downloads (game updates, OS updates) outside the VPN and reserve the tunneled bandwidth for sensitive traffic.

What to Tunnel and What to Exclude

A practical rule-of-thumb checklist.

Almost always tunnel (keep inside the VPN):

• Web browsers when accessing sensitive sites (email, social, banking in a tunneled region)
• Torrent and P2P clients — never expose your real IP to a swarm
• Email clients (Outlook, Thunderbird, Apple Mail) when IMAP/SMTP is unencrypted
• Messaging apps with sensitive conversations (Signal desktop, WhatsApp web)
• Remote desktop and SSH clients
• Any app that handles credentials, financial data, or PII

Commonly safe to exclude (route outside the VPN):

• Streaming apps where VPN IPs are blocked (Netflix, Hulu, Disney+)
• Online games and game launchers
• Banking apps in regions with strict geo-fencing
• Local network devices (printers, NAS, AirPlay, Chromecast)
• Video conferencing apps (Zoom, Meet) when call quality is critical
• OS update servers and large background downloads

Think twice before excluding:

• Browsers with logged-in social or work accounts — cookies and WebRTC can leak identity
• Email clients on a corporate exchange server that requires the corporate VPN
• Apps that phone home with your IP for licensing (some Adobe and Autodesk products)

How to Set Up VPN Split Tunneling on Windows

Windows is the most flexible platform for split tunneling. Most VPN apps, plus the built-in Windows VPN client, support it.

Method 1: Inside your VPN app (recommended)

1. Open your VPN client (ExpressVPN, NordVPN, Surfshark, PIA, etc.).
2. Click the hamburger menu or gear icon → Settings or Preferences.
3. Find the Split Tunneling section.
4. Choose a mode: Only allow selected apps to use the VPN (inverse) or Only allow selected apps to bypass the VPN (standard).
5. Click Add app and select the executable (e.g., chrome.exe).
6. Save, disconnect, and reconnect for the rules to apply.
7. Verify by visiting ipleak.net or dnsleaktest.com in the tunneled and excluded browsers.

Method 2: Windows 11 built-in VPN (per-app VPN)

1. Settings → Network & Internet → VPN.
2. Add a VPN connection if you have not already.
3. Click the connection → Advanced Options → Edit.
4. Under "App restrictions," toggle on and add apps to the allowed list.
5. Save and connect.

Method 3: WireGuard split tunneling

WireGuard uses a per-peer AllowedIPs field. To split tunnel, list only the IPs or subnets you want routed through the tunnel in AllowedIPs = 0.0.0.0/0, ::/0 for full tunnel, or AllowedIPs = 10.0.0.0/24 for a corporate subnet. Everything outside AllowedIPs goes through your physical default route.

For Windows split tunneling issues specifically, our VPN slow-down troubleshooting guide covers a few common snags.

How to Set Up VPN Split Tunneling on macOS

macOS exposes split tunneling through the NetworkExtension framework. Most consumer VPN apps put a friendly UI on top of it.

ExpressVPN, NordVPN, Surfshark on macOS

1. Open the VPN app.
2. Go to Preferences → Split Tunneling (ExpressVPN), Settings → Split Tunneling (NordVPN), or Settings → Bypasser (Surfshark).
3. Toggle on. Choose apps to include or exclude.
4. Save and reconnect.

macOS built-in per-app VPN (advanced)

1. Open System Settings → Network.
2. Click the VPN connection → Advanced.
3. Enable "Send all traffic over VPN connection" off, then use the per-app rules in your VPN client instead. macOS does not have a native per-app UI the way iOS does.

Common macOS gotchas

• macOS Sonoma and Sequoia require the VPN app to be granted Network Extensions permission in System Settings → Privacy & Security.
• Some apps launched at login may not pick up split-tunnel rules until you restart them.
• macOS firewall can override VPN routing for system services. If "stealth" connections (Apple, Microsoft telemetry) keep bypassing your rules, that's the cause.

How to Set Up VPN Split Tunneling on iOS

iOS split tunneling is more limited than Android or desktop. Apple allows per-app VPN configurations, but you must use the VPN provider's app for most use cases.

Method 1: Per-app VPN (built into iOS)

1. Install a configuration profile from your VPN provider.
2. Go to Settings → General → VPN & Device Management → VPN.
3. Tap the connection and select "Connect on Demand" or per-app rules if exposed by the profile.
4. Choose which apps trigger the VPN.

Method 2: VPN provider app (recommended)

1. Open ExpressVPN, NordVPN, or Surfshark on iOS.
2. Find the split-tunneling or per-app settings.
3. Choose apps to include or exclude. Note: iOS limits visibility into which apps are currently running, so the rule set is usually based on app bundle IDs declared at install time.

Limitations on iOS

• iOS does not allow background packet inspection the way macOS does, so URL-based split tunneling is rare on iOS.
• Apple's "Always-On VPN" feature works only with managed device profiles (corporate MDM).
• For most users, the practical answer is: use the VPN app's "Protect selected apps" mode and accept the iOS-specific limitations.

How to Set Up VPN Split Tunneling on Android

Android is the most flexible mobile platform for split tunneling. Most VPN apps and the OS itself support it.

Method 1: VPN provider app (recommended)

1. Open ExpressVPN, NordVPN, Surfshark, ProtonVPN, or PIA on Android.
2. Go to Settings → Split Tunneling.
3. Choose "Apps to bypass" (inverse) or "Apps to tunnel."
4. Select apps from the list.
5. Save and reconnect.

Method 2: Android 11+ built-in split tunneling

1. Settings → Network & Internet → VPN.
2. Tap the gear icon next to your VPN.
3. Toggle "Always-on VPN" and "Block connections without VPN".
4. For per-app rules, you need a third-party app like NetGuard or a VPN app that integrates with the system API.

Method 3: NetGuard or AFWall+ (advanced)

NetGuard is a firewall app that lets you decide, per app, whether it can use Wi-Fi, mobile data, both, or neither. It is not a VPN in the encryption sense, but combined with a real VPN it provides the most granular split tunneling on Android.

How to Set Up VPN Split Tunneling on a Router

Router-level split tunneling is the most powerful option because it covers every device on your LAN — including consoles, smart TVs, and IoT devices that cannot run a VPN app. See our full router setup guide for router selection and base VPN installation.

OpenWrt / DD-WRT: Policy-Based Routing with mwan3

1. Install OpenWrt on a compatible router (or use stock DD-WRT).
2. Install openvpn or wireguard and the mwan3 package.
3. Configure two WAN interfaces: wan (ISP) and vpn (tunnel).
4. Define mwan3 rules: traffic from 192.168.1.50 (your printer) → wan. Traffic from your PC → vpn. Default → vpn.
5. Restart networking and test from each device.

pfSense / OPNsense: Policy Routing

1. Install the VPN client package.
2. Add the VPN interface.
3. Firewall → Rules → LAN. Add rules that route specific source IPs or destination ports to the VPN gateway.
4. Default LAN rule → VPN gateway. Specific IPs (printer, NAS, console) → WAN gateway.

AsusWRT-Merlin

1. VPN client tab → add a profile.
2. Under "Redirect Internet traffic through tunnel," set "Policy Rules".
3. Add rules by source IP (192.168.1.0/24 by default → VPN; specific IPs → WAN).

Best router VPNs for split tunneling in 2026

ExpressVPN's Aircove router, AsusWRT-Merlin builds, and GL.iNet's Slate and Beryl travel routers all have user-friendly split-tunnel UIs. See our browser and router VPN roundup for current recommendations.

Best VPNs for Split Tunneling in 2026

We tested every major provider in May 2026. These are the five that did split tunneling correctly, on multiple platforms, with verified DNS-leak protection and kill-switch behavior.

1. ExpressVPN — Best Overall

Platforms: Windows, macOS, Android, routers (Aircove).
Modes: App-based (inverse and standard), URL-based on Windows and macOS, "allow local network access" toggle.
Why we like it: The cleanest implementation we tested. The inverse mode default makes misconfiguration hard. Lightway protocol is fast and stable.

2. NordVPN — Best for Power Users

Platforms: Windows, macOS, Android, Linux (CLI), browser extensions.
Modes: App-based inverse and standard, URL-based on Windows.
Why we like it: NordLynx (WireGuard-based) is fast, the threat-protection feature complements split tunneling, and the Linux CLI split-tunnel flag is unique.

3. Surfshark — Best for Unlimited Devices

Platforms: Windows, macOS, Android, iOS, browser extensions.
Modes: Bypasser (inverse and standard) on all platforms, including iOS — rare.
Why we like it: Unlimited simultaneous connections, very competitive price, iOS split tunneling is genuinely useful.

4. ProtonVPN — Best for Privacy Purists

Platforms: Windows, Android, macOS (limited), iOS (limited).
Modes: App-based inverse and standard on Windows and Android.
Why we like it: Audited, Swiss jurisdiction, open-source apps. The split-tunnel coverage is narrower than Express/Nord, but the security model is unmatched.

5. PIA — Best for Tinkerers

Platforms: Windows, macOS, Android, iOS, Linux.
Modes: App-based and IP-based on Windows, macOS, Android, and Linux.
Why we like it: Highly configurable. Per-app and per-network rules. MACE ad-blocking integrates well with split tunneling.

For full breakdowns of pricing, server coverage, and split-tunnel feature parity, see the main VPNPicked rankings and our browser-focused roundup.

Split Tunneling for China and Restricted Networks

If you are connecting from inside China (or UAE, Iran, Russia, Turkey), the calculus changes. Full tunneling is the default — you almost never want to exclude anything from the tunnel in a high-censorship environment because every packet that goes direct is one more surface for the GFW or its equivalents to fingerprint. Even a "harmless" domain lookup can flag you.

That said, there are two narrow cases where split tunneling still helps in China:

1. Foreign apps + Chinese apps: Use WeChat, Alipay, and Chinese streaming apps outside the tunnel (they are usually geo-restricted to mainland IPs and work better with a direct connection). Tunnel Gmail, WhatsApp, Google, and Twitter through a China-optimized server like ExpressVPN's Japan or LA obfuscated endpoints.
2. Routing rules on your router: Run your whole LAN through the VPN, except for the AppleTV, the printer, and one specific Chinese-only smart speaker.

For tested 2026 picks behind the Great Firewall, see our best VPN for China guide. Spoiler: ExpressVPN, NordVPN, and Astrill still lead.

Troubleshooting Common Issues

Issue: Excluded app still uses the VPN

Fix: Disconnect the VPN, fully quit the excluded app (check system tray / menu bar), reopen, then reconnect the VPN. Some apps cache their connection and need a fresh start to honor the new route.

Issue: Cannot reach printer, NAS, or Chromecast

Fix: Add your local subnet (usually 192.168.0.0/24 or 192.168.1.0/24) to the IP-based bypass list. Most VPN apps have a "Bypass local network" checkbox that does this automatically.

Issue: Streaming service still blocks me

Fix: The streaming service is detecting a VPN IP, not split tunneling. Either (a) use a streaming-optimized server, (b) clear cookies, or (c) route only the browser tab through the streaming-optimized server. For detailed playbooks, see our Amazon Prime streaming guide.

Issue: DNS leaks on excluded traffic

Fix: Enable DNS leak protection in the VPN app, or set a system-wide private DNS (Settings → Network → Private DNS on Android, or set DNS manually on Windows/macOS to 1.1.1.1 or 9.9.9.9). Verify with dnsleaktest.com.

Issue: Speed has not improved

Fix: Verify the app is actually in the bypass list. Check your VPN's active connection panel — most apps show which processes are currently tunneled. If the app is correctly excluded, the speed should be the same as your ISP baseline.

Issue: App shows wrong country

Fix: Geolocation services combine IP, Wi-Fi, GPS, and cell-tower data. If the app is using GPS or Wi-Fi triangulation, the VPN exit IP will not change its guess. Disable GPS for that app, or use a different browser profile.

Issue: Game ping still high

Fix: Some games use cloud servers (e.g., AWS, Azure) that may be in the tunnel path. Add the game's specific IP ranges to the bypass list, or split-tunnel the entire game launcher process tree.

For more VPN performance troubleshooting, see our speed-fix guide.

FAQ: VPN Split Tunneling Questions (2026)

Final Verdict: Is VPN Split Tunneling Worth Using in 2026?

Yes — for most home users, most of the time. VPN split tunneling has matured from a niche power-user feature to a default expectation of any premium VPN in 2026. The implementation quality across ExpressVPN, NordVPN, Surfshark, ProtonVPN, and PIA is now genuinely good: app-based, inverse, and URL-based modes all work, DNS leak protection is solid, and kill switches behave correctly when a split-tunnel app crashes.

Our recommendation: turn on inverse split tunneling by default at home. Exclude the apps you have thought about (banking, streaming, gaming, LAN devices), and let everything else go through the tunnel. Switch to full tunneling when you are on public Wi-Fi, traveling, or doing anything sensitive. With most modern VPN apps, that switch is one click and one reconnect.

For more depth on the topics in this guide, read:

• Split Tunneling VPN: Foundational Guide — the original primer on how split tunneling works.
• Split Tunneling vs Full Tunnel — head-to-head benchmarks and a decision tree.
• VPN Split Tunneling 2026 Security Update — our 2026 attack-surface tests.
• 10 Real-World Split Tunneling Examples — concrete config blocks for streaming, gaming, banking, and corporate setups.
• Best VPN for China 2026 — split tunneling in high-censorship environments.
• Best VPN for Streaming Amazon Prime — split tunneling for geo-blocked services.
• Best VPN for Chrome — browser-level split tunneling with extensions.
• Best Budget VPN — affordable providers that still support split tunneling.
• All VPN Rankings — full 2026 scoring, with split-tunnel feature parity noted for each provider.