Split Tunneling VPN 2026: Complete Guide, Setup, Use Cases

Split Tunneling VPN in 2026: granular control

All VPN users eventually ask the same question: “Why doesn’t my banking app work when my VPN is on?” or “How do I keep max speed on Steam while protecting the rest?”. The answer is split tunneling — a feature in all premium VPNs letting you choose, app by app, what goes through the VPN tunnel and what goes direct.

This article explains in depth, shows configuration on the 5 main VPNs, and clarifies use cases + limits (notably iOS impossible).

Split tunneling: 3 modes, 1 principle

Basic principle

Without split tunneling, it’s all or nothing:

• VPN OFF → everything via your direct ISP
• VPN ON → everything via VPN tunnel

With split tunneling, you choose per app:

• App A (e.g. Netflix) → VPN
• App B (e.g. bank) → direct
• App C (e.g. Steam) → direct
• App D (e.g. browser) → VPN

One Internet connection, but differentiated routing per app.

Mode 1 — Classic / Blacklist (excluded apps)

Configuration: “All apps go via VPN except those in the list”.

Use case: VPN by default, but exclude a few specific apps (bank, competitive game, local domotic app).

Mode 2 — Inverse / Whitelist (included apps)

Configuration: “No app goes via VPN except those in the list”.

Use case: normal Internet by default, but route a specific app via VPN (e.g. uTorrent only).

Mode 3 — URL-based (per website)

Configuration: routing by domain (netflix.com via VPN, bank.com direct).

Advantage: granularity beyond app (useful for browser visiting many sites).

Available on: Surfshark Bypasser (URL), ExpressVPN (limited), not on all.

The 5 killer use cases

1. Banking — avoid fraud alert

The problem: your bank detects connection from foreign IP (US, UK, Swiss VPN) → anti-fraud alert → account temporarily blocked → mandatory call to unblock.

Split tunneling solution: exclude banking app from VPN. It continues connecting via your French IP, no alert triggered.

NordVPN config example:

1. NordVPN app > Settings > Split Tunneling
2. Disable VPN for selected apps
3. Add MyBankApp.exe (Windows) or mobile banking app
4. Save

2. Competitive gaming — minimal latency

The problem: VPN adds 5-15 ms latency. Critical in competitive FPS (Valorant, Warzone, CS, Apex).

The solution: exclude game from VPN (minimal ping) while keeping VPN + Threat Protection on the rest (browser, Discord, Steam download).

Bonus: for streamers, keep VPN active on OBS (anti-DDoS) while excluding the game for ping.

3. Selective streaming — choice per service

The problem: you want Netflix US (US VPN) BUT Disney+ France without VPN (local catalogue) BUT Spotify direct.

The solution: URL-based or app-based split tunneling:

• netflix.com → US VPN
• disneyplus.com → direct
• Spotify app → direct
• Chrome app → US VPN by default

4. Local network — printer, Chromecast, NAS

The problem: VPN on → can’t print (printer no longer on “your” network from PC’s perspective), Chromecast inaccessible, Synology NAS cut.

The solution: split tunneling excludes printer app + Chromecast browser + NAS app → local access restored + VPN active on the rest.

5. Selective P2P — VPN only on torrent

The problem: you download via qBittorrent (mandatory VPN for Hadopi/BREIN) but want max speed on normal browser.

Inverse split tunneling solution: whitelist qBittorrent.exe → only torrent goes via VPN. Browser, Steam, Spotify direct.

Advantage: kill switch only protects qBittorrent (if VPN drops, qBittorrent stops). The rest continues normally.

iOS warning: technically impossible

Apple sandboxing: iOS forbids VPN apps from managing per-app routing. It’s an OS limit, not a VPN shortcoming.

All VPNs have the same limitation:

• ❌ NordVPN iOS: no split tunneling
• ❌ ExpressVPN iOS: no split tunneling
• ❌ Surfshark iOS: no split tunneling
• ❌ CyberGhost iOS: no split tunneling
• ❌ PureVPN iOS: no split tunneling

iOS workarounds:

1. Router VPN: route the whole home via VPN, manually exclude IoT/TV via DNS overrides
2. Multi-VPN profiles: create 2 profiles in iOS settings (one ON / one OFF), switch manually
3. App-based routing via iOS Shortcuts (very technical, unreliable)

On Android, Mac, Windows, Linux: split tunneling works (with some Mac restrictions).

OS limits

Step-by-step setup per VPN

NordVPN — Complete Split Tunneling

Windows / Android:

1. NordVPN app > Settings (gear icon)
2. Split Tunneling
3. Enable
4. Choose mode:
   • Disable VPN for selected apps (blacklist)
   • Enable VPN only for selected apps (whitelist)
5. Add applications from list
6. Save

macOS: NordVPN split tunneling limited since Big Sur (Apple restrictions). Works for major apps.

See NordVPN →

Surfshark Bypasser — flexible

Windows / Android:

1. Surfshark app > Settings > Bypasser
2. Choose mode:
   • Bypass VPN (excluded apps)
   • Route via VPN (included apps only)
3. App-based (select per installed app)
4. OR URL-based (per domain — e.g. bypass bank.com)
5. Save

Surfshark advantage: native URL-based (rare), unlimited connections (useful in family split).

See Surfshark →

ExpressVPN — Split Tunneling

Windows:

1. ExpressVPN app > Hamburger menu > Options
2. General tab > Split Tunneling > Enable
3. Settings:
   • Do not allow selected apps to use the VPN (blacklist)
   • Only allow selected apps to use the VPN (whitelist)
4. Select apps
5. OK

macOS: ExpressVPN disabled split tunneling on Mac since Big Sur (Apple limits).

Android: available.

See ExpressVPN →

CyberGhost Smart Rules

CyberGhost uses Smart Rules (more advanced than simple split tunneling):

1. CyberGhost app > Smart Rules
2. Application Protection tab
3. Add app + choose behavior (always via VPN, never via VPN, ask)
4. Wi-Fi Protection tab: rules per Wi-Fi network (e.g. auto VPN on café Wi-Fi, OFF on home Wi-Fi)
5. Save

See CyberGhost →

PureVPN Split Tunneling

Windows / Android:

1. PureVPN app > Settings > Split Tunneling
2. Enable
3. Inverse split tunneling available
4. Add apps
5. Save

Note: PureVPN split tunneling more basic than NordVPN/Surfshark but functional.

See PureVPN →

Strategies per user profile

”Banking + streaming” profile

Recommended setup:

• VPN by default (Threat Protection, public Wi-Fi secured)
• Exclude: mobile banking app, BankID/MitID/eID if Nordics, trading app
• Include VPN: Netflix, browser, Discord, Spotify, etc.

VPN reco: NordVPN (clear split).

”Competitive gamer streamer” profile

Recommended setup:

• VPN by default (anti-DDoS for OBS streaming)
• Exclude: Valorant.exe, Warzone.exe, fortnite.exe, csgo.exe (latency)
• Include VPN: OBS, Discord, browser, Steam download
• Bonus: dedicated IP to avoid Vanguard flag

VPN reco: NordVPN with dedicated IP.

”P2P privacy paranoid” profile

Recommended setup:

• VPN OFF by default (max browsing speed)
• Inverse split tunneling: whitelist ONLY qBittorrent.exe
• App-level kill switch on qBittorrent
• If VPN drops → qBittorrent stops (P2P IP never exposed)

VPN reco: Surfshark Bypasser (clear whitelist mode).

”Multi-user family” profile

Recommended setup:

• VPN on parent PCs (split per app)
• Home Wi-Fi router VPN (whole family covered)
• Smart DNS on TV/console (4K)
• Kid apps (Roblox, Minecraft) stay VPN-protected

VPN reco: Surfshark (unlimited family) + Bypasser.

Limits and risks to know

Risk #1 — Excluded apps exposed

Apps excluded from VPN = clear traffic, real IP visible. If you mistakenly exclude a sensitive app on public Wi-Fi, possible data theft.

Solution: NEVER exclude: main browser, email app, sensitive messaging app. Only exclude apps with limited function (game, sandboxed banking app).

Risk #2 — DNS leak on excluded apps

Excluded apps may leak DNS to your ISP even if VPN active on rest. Your ISP sees “User resolved pornhub.com” even if browser goes via VPN.

Solution: test with our DNS leak tool after setup. Force DNS Cloudflare 1.1.1.1 / Quad9 9.9.9.9 if leak detected.

Risk #3 — Kill switch ONLY protects VPN

Kill switch cuts Internet for apps going via VPN if tunnel drops. Excluded apps continue normally — they were never in the tunnel.

Consequence: if you mistakenly exclude qBittorrent and VPN drops, qBittorrent continues with your real IP exposed → ARCOM/Hadopi can identify.

Solution: qBittorrent always included / VPN-only (whitelist mode), never excluded.

Risk #4 — Confusion classic vs inverse mode

Classic mode (excluded apps): VPN by default. Inverse mode (included apps): direct by default.

Frequent error: thinking you’re in classic when actually inverse → main traffic in clear unknowingly.

Solution: always verify after setup on whatismyip — if real IP visible while thinking VPN active, it’s a leak.

Final comparison table

What NOT to do

• ❌ Exclude main browser from VPN on public Wi-Fi — sniffing risk
• ❌ Think kill switch protects everything — it ONLY protects VPN tunnel
• ❌ Exclude qBittorrent by mistake in classic mode — P2P IP exposed immediately
• ❌ Count on iOS split tunneling — doesn’t exist, sandboxing
• ❌ Setup split tunneling without testing after — always verify IP/DNS leak post-config

Complementary security stack

Split tunneling is a flexibility tool, not a substitute for basic protections:

• Kill switch enabled on VPN tunnel
• DNS leak protection enabled
• WebRTC blocked on browser
• 2FA everywhere (Google Authenticator)
• NordPass strong unique passwords

Verdict

For 95% of users: get NordVPN at €3.09/month. Complete split tunneling (Windows, Android, Linux, partial Mac), easy apps, clear modes.

For advanced URL-based: Surfshark Bypasser — split per domain + apps + unlimited connections.

For per-Wi-Fi rules (auto): CyberGhost Smart Rules — auto VPN on cafés, OFF home.

Premium tech: ExpressVPN — Lightway + stable Windows/Android split.

Budget: PureVPN at €1.99/month — functional basic split.

Recommended standard setup:

1. NordVPN by default everything via VPN
2. Exclude: mobile banking app, competitive game, local printer app
3. Test on whatismyip (included apps = NordVPN IP, excluded apps = real IP)
4. Verify zero DNS leak

See also: WireGuard vs OpenVPN, Kill switch VPN, DNS leak, Smart DNS vs VPN, Tor vs VPN.