Split tunneling

From Wikipedia, the free encyclopedia

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local area network or wide area network at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN (WLAN) NIC, and VPN client software application without the benefit of an access control.

For example, suppose a user utilizes a remote access VPN software client connecting to a campus network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (websites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network. However, not every VPN allows split tunneling. Some VPNs with split tunneling include Private Internet Access (PIA), ExpressVPN, Surfshark and NordVPN[1]

Split tunneling is sometimes categorized based on how it is configured. A split tunnel configured to only tunnel traffic destined to a specific set of destinations is called a split-include tunnel. When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a split-exclude tunnel.[2][3][4]


One advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.

Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks. Split tunneling prevents the user from having to continually connect and disconnect.


A disadvantage is that when split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure.[5] For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC.

ISPs that implement DNS hijacking break name resolution of private addresses with a split tunnel.

Variants and related technology[edit]

Inverse split tunneling[edit]

A variant of this split tunneling is called "inverse" split tunneling. By default all datagrams enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (i.e.: port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device's network interface driver, group policy object or anti-malware agent. This is related in many ways to network access control (NAC).[6]

Dynamic split tunneling[edit]

A form of split-tunneling that derives the IP addresses to include/exclude at runtime-based on a list of hostname rules/policies. [Dynamic Split Tunneling] (DST)[7]

IPv6 dual-stack networking[edit]

Internal IPv6 content can be hosted and presented to sites via a unique local address range at the VPN level, while external IPv4 & IPv6 content can be accessed via site routers.


  1. ^ Long, Moe (July 22, 2021). "Best VPN for Split Tunneling". Tech Up Your Life. Retrieved October 21, 2021.
  2. ^ Jeffery, Eric (June 19, 2020). "VPN Split-Tunneling – To Enable or Not To Enable". Infosecurity Magazine. Retrieved October 19, 2020.
  3. ^ Mackie, Kurt (March 26, 2020). "Microsoft Touts Split Tunneling with VPNs To Support Remote Workers -- Redmondmag.com". Redmondmag. Retrieved October 19, 2020.
  4. ^ Michael Cooney. "Cisco, others, shine a light on VPN split-tunneling". Network World. Retrieved October 19, 2020.
  5. ^ Remote Access VPN and a Twist on the Dangers of Split Tunneling, May 10, 2005, retrieved December 5, 2017
  6. ^ Richard Bramante; Al Martin; James Edwards (2006). Nortel Guide to VPN Routing for Security and VoIP. Wiley. p. 454. ISBN 9780470073001.
  7. ^ "AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (Domain)". March 24, 2020.

Further reading[edit]

  • Juniper(r) Networks Secure Access SSL VPN Configuration Guide, By Rob Cameron, Neil R. Wyler, 2011, ISBN 9780080556635, P. 241
  • Citrix Access Suite 4 Advanced Concepts: The Official Guide, 2/E, By Steve Kaplan, Andy Jones, 2006, ISBN 9780071501743, McGraw-Hill Education
  • Microsoft Forefront Uag 2010 Administrator's Handbook, By Erez Ben-Ari, Ran Dolev, 2011, ISBN 9781849681636, Packt Publishing
  • Cisco ASA Configuration By Richard Deal, 2009, page 413, ISBN 9780071622684 , McGraw-Hill Education

External links[edit]