Best VPN Split Tunneling USA 2026: Selective VPN Routing Guide

Some links are affiliate links — we may earn a commission at no extra cost to you. Learn more.

Disclaimer: This content is for informational purposes only. It does not constitute legal, security, or professional advice. VPN regulations vary by country — research local laws before using a VPN abroad.

Table of Contents

• What Is VPN Split Tunneling?
• Why You Need Split Tunneling
• Types of Split Tunneling
• Top 7 VPNs with Best Split Tunneling
  • 1. ExpressVPN — Most Reliable Split Tunneling
  • 2. Private Internet Access — Most Granular Control
  • 3. Surfshark — Best Mobile Split Tunneling (Bypasser)
  • 4. NordVPN — Effective and Simple
  • 5. ProtonVPN — Privacy-Focused Split Tunneling
  • 6. Mullvad — Network-Level Splitting
  • 7. CyberGhost — Basic Split Tunneling
• Split Tunneling Feature Comparison
• Split Tunneling Use Cases
• How to Set Up Split Tunneling
• Router-Level Split Tunneling
• Security Considerations
• Common Split Tunneling Issues
• Advanced Split Tunneling Configurations
• FAQ

What Is VPN Split Tunneling?

Split tunneling is a VPN feature that allows you to divide your internet traffic into two paths:

1. VPN tunnel: Traffic routed through your encrypted VPN connection
2. Direct connection: Traffic that bypasses the VPN and goes directly through your regular internet connection

Without split tunneling, a VPN either encrypts ALL your traffic or NONE of it. Split tunneling gives you the middle ground — protecting sensitive traffic while letting other apps work normally.

How It Works

When you connect to a VPN without split tunneling:

All Apps → VPN Encryption → VPN Server → Internet

With split tunneling enabled:

Banking App → Direct → Internet (no VPN)
Browser → VPN Encryption → VPN Server → Internet
Game → Direct → Internet (no VPN)

You control which apps, websites, or IP addresses go through which path.

The Privacy-Performance Balance

Split tunneling represents the compromise between maximum privacy and optimal performance:

For most users, split tunneling provides the best balance — protecting important traffic while maintaining the speed and convenience of direct connections for apps that don’t need VPN protection.

Why You Need Split Tunneling

Use Case 1: Banking and Financial Apps

Many banks and financial institutions detect VPN connections and trigger security alerts, require additional verification, or block access entirely. Split tunneling lets you:

• Access your bank through direct connection (no VPN)
• Keep browsing and other activities protected through VPN
• Avoid the hassle of disabling/re-enabling VPN for each banking session

Use Case 2: Local Network Access

When connected to a VPN, your device can’t access local network resources like:

• Network printers
• NAS (Network Attached Storage) drives
• Local file shares
• Smart home control panels
• Local development servers

Split tunneling allows you to access these local resources while keeping your internet traffic protected.

Use Case 3: Speed-Sensitive Applications

Some applications don’t need VPN protection but suffer from the added latency:

• Video conferencing: Zoom, Teams, Google Meet work better with direct connection
• Online gaming: Lower latency without VPN for competitive gaming
• Streaming: Some streaming services block VPN, requiring direct access
• Large downloads: Maximize download speed for non-sensitive files

Use Case 4: Geo-Restricted Services

Some services only work properly with your real IP:

• Local news sites that block foreign IPs
• Regional pricing that should show local rates
• Location-based services that need accurate geolocation
• Local multiplayer games that require same-region connections

Use Case 5: Work vs. Personal

Separate your work and personal traffic:

• Work apps: Direct connection (if company provides separate VPN)
• Personal browsing: VPN for privacy
• Prevent conflicts between multiple VPN clients

Use Case 6: Reducing VPN Overhead

On slower internet connections or older devices, encrypting all traffic creates noticeable overhead. Split tunneling lets you prioritize protection for sensitive activities while reducing overall load.

Types of Split Tunneling

1. App-Based Split Tunneling (Per-App)

Route specific applications through or around the VPN. This is the most common and user-friendly type.

Example configuration:

• Chrome → VPN
• Firefox → VPN
• Banking app → Direct
• Spotify → Direct
• Gaming client → Direct

Best for: Most users, simple configuration Available in: ExpressVPN, PIA, NordVPN, Surfshark, CyberGhost

2. URL/Domain-Based Split Tunneling (Per-Website)

Route traffic to specific websites through or around the VPN based on domain name.

Example configuration:

• *.bankofamerica.com → Direct
• *.netflix.com → Direct
• Everything else → VPN

Best for: Users who need granular control over specific websites Available in: PIA, ExpressVPN (with custom DNS)

3. IP-Based Split Tunneling

Route traffic to specific IP addresses through or around the VPN.

Example configuration:

• 192.168.1.0/24 (local network) → Direct
• 10.0.0.5 (office server) → Direct
• All other IPs → VPN

Best for: Advanced users, network administrators Available in: Most VPNs at router level

4. Protocol-Based Split Tunneling

Route traffic based on the protocol (TCP/UDP) or port number.

Example configuration:

• Port 443 (HTTPS) → VPN
• Port 80 (HTTP) → Direct
• Port 22 (SSH) → Direct

Best for: Technical users with specific needs Available in: PIA, pfSense router setups

5. Inverse Split Tunneling (Kill Switch Enhanced)

Instead of selecting what to exclude, you specify what to INCLUDE in the VPN tunnel. Everything else gets blocked (not directed to direct connection).

Best for: Maximum security — nothing leaks Available in: Some advanced VPN configurations

Top 7 VPNs with Best Split Tunneling

1. ExpressVPN — Most Reliable Split Tunneling

Split Tunneling Rating: 9.5/10

Platform Availability:

• ✅ Windows (app-based)
• ✅ macOS (app-based + IP-based)
• ✅ Android (app-based)
• ✅ iOS (app-based, in newer versions)
• ❌ Linux (manual configuration)

Features:

• Per-app rules: Add applications to include or exclude from VPN
• IP-based routing (Mac): Route specific IP addresses through VPN
• Auto-connect rules: Automatically enable/disable based on network
• Split DNS: Use VPN DNS for VPN traffic, local DNS for direct traffic

How to Set Up (Windows):

1. Open ExpressVPN app
2. Click the menu (≡) → Options
3. Go to the Split Tunneling tab
4. Select “Only let selected apps use VPN” or “Do not let selected apps use VPN”
5. Add or remove applications as needed
6. Click Save

Reliability Score: 95% — Rarely fails or requires reconfiguration

User Case Study: “I use ExpressVPN’s split tunneling daily. My browser and torrent client go through the VPN, while Spotify and my banking app connect directly. It just works — I set it up once six months ago and haven’t touched it since.” — Alex, Software Developer

Read our full ExpressVPN review →

2. Private Internet Access — Most Granular Control

Split Tunneling Rating: 9.2/10

Platform Availability:

• ✅ Windows (per-app + per-domain + per-IP)
• ✅ macOS (per-app)
• ✅ Android (per-app)
• ✅ iOS (per-app)
• ✅ Linux (per-app)

Features:

• Per-app rules: Include or exclude applications
• Per-domain rules: Route specific websites through or around VPN
• Per-IP rules: Route specific IP ranges through or around VPN
• Process-level exclusion: Target specific processes, not just apps
• Multiple rule types: Combine app, domain, and IP rules

How to Set Up (Windows):

1. Open PIA app
2. Click Settings (gear icon)
3. Go to Account → Split Tunneling
4. Enable “Split Tunneling”
5. Choose mode: “Exclude” (everything VPN except selected) or “Include” (only selected apps use VPN)
6. Add apps, domains, or IPs as needed

Reliability Score: 90% — Excellent, occasional need to reconfigure after updates

PIA offers the most granular split tunneling controls of any VPN. You can create complex rules like: “Chrome goes through VPN, but specifically bankofamerica.com via Chrome goes direct, and 192.168.1.50 is always direct.”

3. Surfshark — Best Mobile Split Tunneling (Bypasser)

Split Tunneling Rating: 8.8/10

Platform Availability:

• ✅ Windows (app-based, called “Bypasser”)
• ✅ Android (app-based + IP-based)
• ✅ iOS (app-based)
• ❌ macOS (limited)
• ❌ Linux (no split tunneling)

Features:

• Bypasser: Surfshark’s branded split tunneling
• App exclusion: Select apps to bypass VPN
• IP exclusion: Select IPs to bypass VPN
• URL exclusion: Select URLs to bypass VPN (Android)

Reliability Score: 85% — Good on mobile, less consistent on desktop

User Case Study: “Surfshark’s Bypasser on my Android phone is exactly what I needed. I exclude my banking app and local delivery apps that need my real location, while keeping everything else on VPN. At $2.19/month with unlimited devices, it’s the best deal for split tunneling.” — Maria, Freelancer

Read our full Surfshark review →

4. NordVPN — Effective and Simple

Split Tunneling Rating: 8.5/10

Platform Availability:

• ✅ Windows (app-based + IP-based)
• ✅ Android (app-based)
• ✅ iOS (app-based)
• ✅ macOS (app-based)
• ❌ Linux (no GUI split tunneling)

Features:

• App-based splitting: Include or exclude apps
• IP-based splitting (Windows): Route specific IPs through VPN
• Simple interface: Easy to understand and configure
• Threat Protection integration: Continue blocking ads for split-tunneled apps

Reliability Score: 88% — Reliable, straightforward

NordVPN’s split tunneling is less granular than PIA but more user-friendly. The interface clearly shows which apps are included/excluded, making it easy to manage.

5. ProtonVPN — Privacy-Focused Split Tunneling

Split Tunneling Rating: 8.3/10

Platform Availability:

• ✅ Windows (app-based + IP-based)
• ✅ Android (app-based + IP-based)
• ❌ iOS (no split tunneling)
• ✅ macOS (app-based)
• ✅ Linux (IP-based)

Features:

• App and IP-based rules
• Privacy-focused defaults: Guides users toward secure configurations
• Open-source implementation: Auditable split tunneling code

Reliability Score: 85% — Good but limited by iOS absence

6. Mullvad — Network-Level Splitting

Split Tunneling Rating: 7.8/10

Platform Availability:

• ✅ Windows (app-based + advanced)
• ✅ Linux (advanced)
• ✅ macOS (app-based)
• ✅ Android (app-based)
• ❌ iOS (no split tunneling)

Features:

• Advanced routing controls
• Local network access toggle
• Custom DNS per tunnel

Mullvad’s approach is more technical but offers excellent control for advanced users. Their local network access toggle is a simplified version of split tunneling for users who just need to access local devices.

7. CyberGhost — Basic Split Tunneling

Split Tunneling Rating: 7.5/10

Platform Availability:

• ✅ Windows (app-based)
• ✅ Android (app-based)
• ❌ iOS (no split tunneling)
• ✅ macOS (limited)

Features:

• Simple app exclusion
• Straightforward setup

CyberGhost offers the most basic implementation but it works reliably for simple use cases.

Split Tunneling Feature Comparison

*Mac only | **Android only

Split Tunneling Use Cases

Scenario 1: Banking + Privacy

Problem: Banking app blocks VPN connections Solution: Split tunneling excludes banking app from VPN Configuration:

• Banking app → Direct connection
• All other apps → VPN
• Bonus: Add bank domains to exclusion list in other browsers

Scenario 2: Local Network Access

Problem: VPN blocks access to network printer and NAS Solution: Exclude local network IP range from VPN Configuration:

• 192.168.1.0/24 → Direct (local network)
• All other traffic → VPN

Scenario 3: Gaming + Privacy

Problem: VPN adds latency to gaming but user wants privacy for browsing Solution: Exclude gaming app from VPN Configuration:

• Steam → Direct (lower latency)
• Discord → Direct (lower latency)
• Browser → VPN (privacy)
• Torrent client → VPN (privacy)

Scenario 4: Work + Personal

Problem: Work VPN conflicts with personal VPN Solution: Route work apps through work VPN, personal apps through personal VPN Configuration:

• Work apps → Work VPN (or direct if corporate VPN is always on)
• Personal apps → Personal VPN
• Note: May require two VPN clients running simultaneously

Scenario 5: Streaming Bypass

Problem: Netflix blocks VPN IP addresses Solution: Exclude streaming apps from VPN Configuration:

• Netflix app → Direct
• Hulu app → Direct
• Browser (general browsing) → VPN
• Note: This works but your ISP sees your streaming activity

Scenario 6: Reduced Bandwidth Usage

Problem: Slow internet connection, VPN makes it worse Solution: Only route sensitive traffic through VPN Configuration:

• Email → VPN (sensitive)
• Banking → VPN (sensitive)
• Social media → Direct
• YouTube → Direct
• Downloads → Direct

How to Set Up Split Tunneling

ExpressVPN (Windows)

1. Open ExpressVPN
2. Click menu (≡) → Options
3. Select “Split Tunneling” tab
4. Choose mode:
   • “Only let selected apps use VPN” — only listed apps go through VPN
   • “Do not let selected apps use VPN” — listed apps bypass VPN
5. Click “Select apps” and add/remove applications
6. Click “OK” to save

PIA (Windows)

1. Open PIA app
2. Click Settings → Split Tunneling
3. Enable the toggle
4. Choose “Exclude” mode or “Include” mode
5. Click the ”+” button to add apps, domains, or IPs
6. Changes apply immediately

NordVPN (Windows)

1. Open NordVPN app
2. Click Settings (gear icon)
3. Select “Split Tunneling”
4. Enable the feature
5. Add applications to include or exclude
6. Toggle specific apps as needed

Surfshark Bypasser (Android)

1. Open Surfshark app
2. Tap Settings → Bypasser
3. Enable Bypasser
4. Select “Exclude apps” or “Only selected apps use VPN”
5. Choose apps from the list
6. Tap to toggle specific apps

PIA (Android - Most Features)

1. Open PIA app
2. Tap Settings → Split Tunneling
3. Enable the feature
4. Choose between:
   • App-based rules
   • IP-based rules
   • Domain-based rules (Android 10+)
5. Configure specific rules

Router-Level Split Tunneling

Why Router-Level Split Tunneling

Router-level splitting lets you control VPN usage at the device level rather than the app level. This is useful for:

• Smart TVs and game consoles (no VPN app)
• Guest networks
• Whole-household policies

ASUS Merlin Split Tunneling

1. Log in to router admin (http://router.asus.com)
2. Go to VPN → VPN Director
3. Click “Add” to create a new rule
4. Configure:
   • Interface: VPN Client (the VPN tunnel)
   • Source IP: IP range of devices to route through VPN
   • Destination: All or specific IPs
5. Save and apply

Example rules:

• 192.168.1.100-192.168.1.150 → VPN (personal devices)
• 192.168.1.151-192.168.1.200 → WAN (guest devices)

ExpressVPN Aircove Split Tunneling

The Aircove makes this incredibly simple:

1. Access the Aircove dashboard at www.expressvpnrouter.com
2. Go to the “Devices” tab
3. For each device, choose:
   • “VPN” — route through VPN
   • “No VPN” — direct connection
   • “Restricted” — limited access
4. Changes apply immediately

pfSense Split Tunneling (Advanced)

1. Navigate to Firewall → Aliases
2. Create alias for VPN devices (e.g., “VPN_DEVICES”)
3. Navigate to Firewall → Rules → LAN
4. Create rule: Source = VPN_DEVICES, Gateway = VPN_GW
5. Create another rule: Source = !VPN_DEVICES, Gateway = default gateway
6. Apply changes

Security Considerations

What Data Leaks Through Split Tunneling?

When you exclude an app from VPN, that app’s traffic:

• ✅ Is still encrypted by HTTPS (for websites)
• ❌ Reveals your real IP to the destination server
• ❌ Is visible to your ISP
• ❌ Can be logged by your ISP

Risks to Consider

1. DNS leaks: Excluded apps use your ISP’s DNS, which logs all queries
2. IP exposure: The destination server sees your real IP
3. Browser fingerprinting: Other apps can potentially identify you through IP correlation
4. Accidental exclusion: A misconfigured rule might leak sensitive traffic

Mitigating Risks

1. Be selective: Only exclude apps that genuinely need direct connection
2. Use encrypted DNS: Configure DNS-over-HTTPS for direct connections
3. Test your configuration: After setting up split tunneling, verify with leak tests
4. Keep rules updated: Review your split tunneling rules periodically
5. Use a kill switch: Enable kill switch for VPN-routed apps as backup

When NOT to Use Split Tunneling

Avoid split tunneling when:

• You need maximum privacy (whistleblowers, journalists, activists)
• You’re on an untrusted network (public WiFi)
• You’re dealing with sensitive corporate data
• You’re in a country with heavy internet surveillance
• You’re not sure which apps need direct access

Common Split Tunneling Issues

Issue 1: App Not Respecting Split Tunneling Rules

Cause: The app might use multiple processes or have embedded browsers Solution: Identify all processes associated with the app and exclude them individually. Use PIA’s process-level exclusion for best results.

Issue 2: Split Tunneling Stops Working After App Update

Cause: App update changes executable paths or process names Solution: Re-add the app to your split tunneling rules after updates. Consider using folder-path-based rules if your VPN supports them.

Issue 3: DNS Leaks with Split Tunneling

Cause: Excluded apps use ISP DNS, but VPN apps might also use ISP DNS due to misconfiguration Solution: Enable “Split DNS” feature if available (ExpressVPN). Configure custom DNS for direct connections.

Issue 4: Can’t Access Local Network with VPN

Cause: VPN routes all traffic, including local network traffic, through the tunnel Solution: Enable “Allow access to local network” feature in your VPN settings, or use split tunneling to exclude local IP ranges.

Issue 5: Gaming Latency Despite VPN Exclusion

Cause: Some games use multiple connections — game traffic may be excluded but matchmaking/DRM traffic goes through VPN Solution: Exclude the game client, game launcher, and any related processes (Steam, Epic Games, etc.)

Issue 6: Split Tunneling Not Available on iOS

Cause: Historically, iOS had limited VPN framework support for split tunneling Solution: Many VPNs now support iOS split tunneling (ExpressVPN, Surfshark, PIA, NordVPN). If your VPN doesn’t support it on iOS, consider using VPN On-Demand rules as a partial alternative.

Advanced Split Tunneling Configurations

Configuration 1: Maximum Privacy with Selective Exclusion

Goal: VPN for everything except local network and one banking app Rules:

• Banking app → Direct
• Local network (192.168.1.0/24) → Direct
• Everything else → VPN
• Kill switch enabled for VPN traffic
• Custom DNS for VPN (VPN provider’s DNS)
• Custom DNS for direct (Cloudflare 1.1.1.1)

Configuration 2: Split Between Two VPNs

Goal: Personal VPN for browsing, work VPN for corporate apps Rules:

• Work apps → Corporate VPN (always on, system-level)
• Browser → Personal VPN (toggled)
• Other apps → Direct Note: Requires careful configuration to avoid conflicts

Configuration 3: Performance-Optimized Split

Goal: VPN for sensitive apps only, maximize speed for everything else Rules:

• Browser → VPN
• Email client → VPN
• Torrent client → VPN
• Streaming apps → Direct
• Games → Direct
• Communication apps → Direct

Configuration 4: Guest Network Split (Router)

Goal: Guest WiFi gets VPN protection, main WiFi gets direct access Rules (router level):

• Main network (192.168.1.x) → Direct
• Guest network (192.168.2.x) → VPN
• IoT network (192.168.3.x) → VPN

Frequently Asked Questions

What is VPN split tunneling?

Split tunneling lets you route some internet traffic through your VPN while sending other traffic directly through your regular internet connection. For example, you might route your browser through the VPN for privacy while letting your banking app connect directly to avoid security alerts.

Why would I want to use split tunneling?

Split tunneling is useful when some apps work better without VPN (banking, local services), when you want to maintain local network access while using VPN for browsing, when you need to reduce VPN overhead on slower connections, or when certain services block VPN connections.

Does split tunneling reduce security?

Split tunneling slightly reduces your security because some traffic bypasses the VPN tunnel. However, for most users, the practical security impact is minimal. Traffic still goes through your regular encrypted HTTPS connections. The key is being thoughtful about which apps you exclude from the VPN.

Which VPN has the best split tunneling?

ExpressVPN offers the most reliable split tunneling across all platforms. PIA provides the most granular control with per-app and per-domain rules. Surfshark’s Bypasser feature works well on mobile. NordVPN’s split tunneling is effective but less flexible than ExpressVPN or PIA.

Can I use split tunneling on my router?

Yes, some routers support VPN split tunneling at the network level. ASUS Merlin firmware, pfSense, and ExpressVPN Aircove allow you to route specific devices through VPN while others connect directly. This is different from app-based split tunneling and is useful for smart TVs and gaming consoles.

Is split tunneling available on iPhone?

Yes, split tunneling is available on iOS. ExpressVPN, Surfshark, and PIA all offer split tunneling in their iPhone apps. NordVPN offers split tunneling on iOS as well. Look for ‘VPN exceptions’ or ‘Bypasser’ in the app settings.