Is split tunneling secure?

Split tunneling is secure for the traffic that remains in the VPN tunnel. Any apps or sites you bypass will use your normal ISP route, which is less private. Don’t bypass sensitive apps on public Wi‑Fi.

Will split tunneling stop my VPN kill switch?

Most good VPNs keep the kill switch active even when split tunneling is on, but implementations vary. Enable and test the kill switch after changing split tunneling settings.

Can I split tunnel by website or IP address?

Some clients let you route by IP/subnet and a few support domain-based rules, but many use app-based rules. Check your VPN’s documentation for the exact capabilities.

Which platforms support split tunneling?

Windows and Android are the most commonly supported platforms. macOS support is more limited and varies by provider. Always check the app’s settings or the provider’s help pages.

VPN Split Tunneling: How to Route Only Some Traffic Through Your VPN

A practical guide to VPN split tunneling: what it is, when to use it (banking, streaming, local devices), and step-by-step setup for NordVPN, ExpressVPN, Surfshark.

VPN Split Tunneling: How to Route Only Some Traffic Through Your VPN — and Why You’d Want To.

I remember the night I tried to stream The Mandalorian while a giant Steam update crawled in the background — everything stuttered. I learned then that you don’t always want all your traffic shoved through a VPN. Split tunneling fixes that.

In plain terms: split tunneling lets you pick which apps or destinations use the VPN and which use your normal internet route. Think of it like a road split — some lanes go through the secure tunnel, others stay on the surface streets.

That matters because VPNs add encryption and often a geographic overlay. Great for privacy and unlocking region content — but not always ideal for local printers, banking logins, or latency-sensitive games.

How split tunneling actually works

Under the hood, the VPN client changes your routing table or intercepts traffic by app. You can route traffic by application, by IP/subnet, or (in some apps) by website domain. The VPN sends selected traffic through the encrypted tunnel to its server; the rest continues to your ISP normally.

App-based: choose specific programs (Chrome, Steam) to bypass or use the VPN.
Inverse (allow only selected apps): only these apps go through the VPN; everything else stays local.
IP or subnet rules: send traffic to particular IPs (e.g., a work VPN) through the tunnel.
URL-based (less common): some clients let you route specific domains through or around the VPN.

All of these change what your public IP looks like for different traffic and can affect speed, latency, and access. That gives you flexibility — and also some new risk if you don’t configure it carefully.

When you should (and shouldn’t) use split tunneling

Good uses: streaming, local network devices, and games. I route my streaming apps through a VPN to grab a different Netflix catalog while keeping everything else direct. It saved me hours of buffering (and a lot of cursing).

Banking is trickier. Some banks flag logins that come from VPN IPs, triggering extra verification or blocking. If your bank keeps locking you out, route that banking app or browser outside the VPN — but only on a trusted network (home Wi‑Fi, not a coffee shop).

Local devices: printers, NAS drives, smart home hubs — these often need direct local-network access. If you put everything through a remote VPN server, your laptop may lose access. Split tunneling lets you keep local traffic local.

Gaming: low latency matters. I use split tunneling to keep game traffic on my ISP route while sending torrent clients or background downloads through the VPN. That keeps ping stable during raids and fights.

Before you start: a quick checklist

Know what you want routed through the VPN (apps, IPs, or domains).
Update your VPN app to the latest version.
Enable the kill switch feature where available (to avoid leaks if the VPN drops).
Test your IP and DNS before and after changes (ipleak.net, dnsleaktest.com).
Remember: split tunneling reduces privacy for bypassed traffic. Don’t send passwords over public Wi‑Fi without encryption.

NordVPN — how to set up split tunneling

NordVPN offers split tunneling on Windows and Android apps (and similar features on some other platforms). On Windows it’s called “Split tunneling” and you can either exclude apps from the VPN or force only selected apps through it.

Open NordVPN and sign in.
Go to Settings (the gear icon) and find the Split tunneling section.
Toggle Split tunneling on.
Choose your mode: “Bypass VPN for selected apps” (those apps use your real IP) or “Only use VPN for selected apps” (everything else is direct).
Click Add and pick the apps you want to include/exclude.
Reconnect the VPN if required and test with an IP-check site.

Tip: Nord’s UI is blunt and reliable. I used it to keep my printer traffic local while tunneling Chrome for region streaming. Worked like magic.

ExpressVPN — how to set up split tunneling

ExpressVPN includes a split tunneling feature on Windows, Mac, and Android apps (check your app version). It’s under Preferences/Options and is one of the simpler implementations.

Open ExpressVPN and go to Options (Windows) or Preferences (Mac).
Select the General tab and find Split Tunneling.
Click Manage settings (or the corresponding button).
Choose between allowing selected apps to use the VPN or preventing selected apps from using it.
Add apps, save, and reconnect if prompted.
Test by visiting an IP-check site from both a bypassed app and a tunneled app.

ExpressVPN’s split tunneling is robust — I used it while streaming a UK-only show in one browser and keeping a US banking tab outside the VPN. It avoided the bank’s weird reauth triggers.

Surfshark — how to set up split tunneling (Bypasser)

Surfshark calls this feature Bypasser (previously Whitelister). It’s available on Windows, Android, and some other platforms. The flow is similar to the other apps, but the naming is different.

Open Surfshark and sign in.
Go to Settings and find Bypasser (or Split Tunneling).
Enable the feature.
Choose which apps or websites should bypass the VPN, or select apps that must use the VPN.
Save changes and reconnect if needed.
Run an IP/DNS leak test to confirm behavior.

Surfshark is great for budget-conscious users — I set Bypasser to keep Steam direct while routing my browser through a VPN server to watch region-locked shows. No lag in matches, no geoblock headaches.

Testing & troubleshooting tips

Always test. Open a tunneled app — check your IP at ipleak.net. Open a bypassed app — check again. If both show the VPN IP, your rules aren’t applied. If the bypassed app shows your home IP, success.

If an app won’t appear in the list, try running both the VPN and the app as an administrator (Windows). Some apps spawn child processes; you might need to add those too.

If DNS leaks happen, enable DNS leak protection in the VPN app, and consider using the VPN provider’s DNS. Remember: split tunneling reduces the scope of protection — bypassed traffic is exposed to your ISP.

If you’re unsure what to route where, start small: only bypass the exact app that’s causing trouble (a banking site or a local printer client). That keeps the rest of your traffic private.

Security notes and final thoughts

Split tunneling is a useful tool, but it’s a trade-off. Bypassed traffic won’t get the VPN’s encryption or IP masking. Don’t route sensitive apps outside the VPN on untrusted networks.

Which provider to choose? NordVPN is fast and reliable, ExpressVPN is consistent and easy to use, and Surfshark is budget-friendly with strong features. All three support split tunneling in their desktop/mobile apps — so it really comes down to price, speed, and interface.

Personally, split tunneling saved my evening more than once: I streamed new episodes while a background download gobbled bandwidth — no buffering, no rage. Try it with one app first, test with an IP leak site, and tweak until it's smooth.

Got a setup you want me to try? Tell me what apps you want routed where (I’ll probably test it while pretending to work and actually playing a bit of Elden Ring). Buffer-free streaming is a beautiful thing.