Split tunneling: when it's a feature, when it's a foot-gun
Letting some apps skip the VPN sounds great until you discover your banking app went out the back door. Here's a clean rule for when to use split tunneling.
GuidesSplit tunneling is the option in most VPN apps that says "send these apps through the VPN; let the rest go directly out." It's useful, occasionally great, and dangerous if you don't think about which apps you are putting on which side.
Why it exists
Some traffic doesn't benefit from a VPN and is annoying when routed through one. Local printers and Chromecasts need to find each other on your home network — they can't do that through a VPN. Some streaming services geofence by IP and may flat-out block VPN endpoints. Some banking apps reject logins from "unusual" IPs.
Split tunneling lets you carve those out.
The simple rule
Default everything to the VPN. Whitelist exceptions explicitly. Never the other way around.
Apps to consider for the bypass list
- Local network discovery (printers, Chromecast, AirPrint, smart bulbs)
- Region-locked streaming services where the VPN endpoint is blocked
- Sometimes Zoom or Teams, when latency through the VPN is poor
- Banking/government apps that geofence aggressively
Apps to never put on the bypass list
- Browsers (you do not want browser tabs leaking out the back door)
- Email clients
- Anything that auto-syncs cloud storage
- Update services (App Store, Windows Update, etc.) — they leak your IP and OS version even if the download itself is HTTPS
On Apple devices, a wrinkle
iOS and macOS handle split tunneling differently from Linux/Windows. On iOS, only one VPN profile can be active at a time and the OS decides per-flow which app gets which interface. On macOS, NEVPNManager has stricter rules than the equivalent Windows API. We document the per-OS behavior in the desktop docs.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
GuidesPP · DispatchA survival kit for public Wi-FiGuides · 6 minA survival kit for public Wi-Fi
Hotel networks. Airport lounges. The cafe with the cute logo. Six concrete habits that take ten seconds and stop 95% of network-level attacks against you.
GuidesPP · DispatchWhy your VPN keeps getting blocked by streaming services (and the fix)Guides · 7 minWhy your VPN keeps getting blocked by streaming services (and the fix)
Netflix says "you appear to be using a proxy." Disney+ shows the wrong library. Here is what is actually happening on the back end and how we route around it.
- GuidesPP · DispatchSetting up your home network for privacy in 90 minutesGuides · 8 min
Setting up your home network for privacy in 90 minutes
A Saturday-morning checklist that hardens your router, fixes your DNS, segments your IoT junk, and (optionally) puts a VPN on the gateway. No paranoia, no rack of servers — just the settings most people skipped.