By default, a VPN is all-or-nothing: switch it on and everything your device sends goes through the encrypted tunnel. Split tunneling breaks that rule. It lets you pick which traffic goes through the VPN and which takes your normal connection — useful, but with a catch worth understanding. This guide explains what split tunneling is, the types, why people use it, the honest trade-off, and how to do it on a self-hosted WireGuard setup.
The short definition
Split tunneling is a VPN feature that routes some of your traffic through the encrypted tunnel and lets the rest go directly over your normal internet connection. Instead of one tunnel carrying everything, you split your traffic into two paths: protected (through the VPN) and direct (not). You decide which is which.
How it works
You set rules that tell the VPN which traffic to include or exclude. Those rules usually work one of a few ways:
- App-based — choose specific apps to send through the VPN (or to keep off it). Common on desktop and Android VPN clients.
- Destination-based — route by IP range or domain, so traffic to certain sites or networks uses the tunnel and the rest doesn't.
- Inverse split tunnel — everything goes through the VPN except a short list you exclude (handy for one app that misbehaves behind a VPN).
Whatever the method, the VPN client applies your rules to each connection and sends it down the right path.
Why people use it
Split tunneling is mostly about convenience and performance:
- Speed and bandwidth. Traffic that doesn't need protecting skips the VPN's extra hop, so it's faster and doesn't eat the tunnel's throughput. Large downloads or video calls often go direct.
- Local network access. You can reach your printer, NAS or other home devices while the VPN stays on for everything else — normally a full tunnel would cut you off from them.
- Dual access. Use a service that blocks VPNs (some banking or streaming apps) over your real connection while another app stays on the VPN — no toggling on and off.
The honest trade-off
Here's the part that matters: anything you route outside the tunnel is not protected. That traffic uses your real IP and is visible to your network and ISP, exactly as if the VPN were off. Split tunneling trades some protection for convenience, and the main risk is misconfiguration — excluding something sensitive by accident, or a DNS query leaking outside the tunnel and revealing what you're doing.
So the rule of thumb is simple: only exclude traffic you genuinely don't mind being unprotected. If you're using a VPN for privacy or on a hostile network, a full tunnel — everything through the VPN — is the safer default, and split tunneling is the deliberate exception you make for a specific app.
Doing it yourself on WireGuard
If you run your own VPN, you already have split tunneling — it's just the AllowedIPs setting in your WireGuard client config. AllowedIPs = 0.0.0.0/0, ::/0 routes all traffic through the tunnel (a full tunnel). List only specific subnets instead, and only that traffic uses WireGuard while everything else stays on your normal connection (a split tunnel). No special toggle required — the routing config is the control, which is one more reason a self-hosted WireGuard server gives you precise command over your traffic.
The verdict
Split tunneling is a genuinely useful feature for speed, local access and dual connections — as long as you remember that excluded traffic gets none of the VPN's protection. Use it deliberately for the apps that benefit, keep anything sensitive inside the tunnel, and when in doubt, route everything through the VPN.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
A VPS you fully control for tunneling & obfuscation → ContaboRoot access · open any port · run your own stack→
