πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Protocols β†’ Split Tunneling

Split Tunneling
Explained.

Send some apps through the VPN and let others go direct. Sounds simple. The trade-offs are interesting.

The concept

By default, when you turn on a VPN, every application on your device routes its traffic through the tunnel. Email, web browsing, background syncs, app updates β€” all of it gets encrypted and sent through the VPN server.

Split tunneling breaks this all-or-nothing model. You choose which apps (or which destinations) go through the VPN, and which go directly through your normal internet connection.

Two implementation flavors

App-based (per-app VPN)

Most common on consumer VPNs. You select specific apps to include or exclude. Examples:

  • Include list: only the apps in the list go through the VPN; everything else bypasses it.
  • Exclude list: everything goes through the VPN except the apps in the list.

Decisions are made at the application level β€” your banking app's traffic doesn't go through the tunnel, but every other app's traffic does.

IP-based / route-based

More flexible but harder to configure. You specify IP ranges or hostnames that should bypass the VPN. For example:

  • "Exclude everything in 192.168.0.0/16" (your local network β€” keeps local printers and NAS accessible).
  • "Exclude netflix.com and its CDN IPs" (so Netflix sees your real location).

IP-based split tunneling is more common on desktop and router-level VPN setups. On mobile, app-based is the default.

Common use cases

Banking apps that block VPNs

Many banking apps detect VPN traffic and block sessions as a fraud-prevention measure. If you regularly use mobile banking with the VPN active, you'll see errors like "We can't process this request right now" or just silent login failures. Solution: route the bank app outside the VPN.

The trade-off: your bank traffic goes through your normal ISP connection, so they see it. This is usually fine β€” your bank already knows who you are.

Local network resources

Home printers, NAS devices, smart-home hubs, file servers, local game servers β€” anything on your home or office network. These devices have private IPs (192.168.x.x etc.) that aren't reachable through a VPN tunnel because the tunnel exits at the provider's remote server, not on your local network.

Solution: split-tunnel to route local-IP traffic outside the VPN. Most VPN clients handle this automatically when you enable "allow local network access."

Latency-sensitive applications

Online gaming, voice calling, video conferencing β€” any app where every extra millisecond matters. VPN adds some latency (the traffic detours to the VPN server before reaching its destination). Routing these specific apps outside the tunnel removes that overhead.

Trade-off: those apps no longer benefit from VPN protection. If you're on a trusted network and only care about latency, this is fine. On hostile WiFi, it's risky.

Region-specific apps

Sometimes you want an app to see your real location for legitimate reasons β€” weather apps, food delivery, ride-sharing, maps. These apps can break or behave oddly if they see a VPN's location instead. Split-tunnel them outside the VPN to get accurate behavior.

The security trade-off

Anything you route outside the VPN is exposed to:

  • Your local network (other devices on the WiFi).
  • Your ISP.
  • Any observer along the route to the destination.

On your home WiFi this is fine β€” you trust the network. On public WiFi it's the opposite of what you want.

Practical guidance:

  • Trusted networks (home, office): split tunneling is safe and useful.
  • Untrusted networks (public WiFi, hotel, airport): disable split tunneling and keep everything in the tunnel.

Some VPN apps let you configure this conditionally β€” split tunneling active on home WiFi, full tunnel on everything else. Worth using if available.

What about DNS?

An often-overlooked detail: even if an app is excluded from the VPN tunnel, its DNS queries may still go through the VPN's DNS resolver (or vice versa). This can cause weird behavior:

  • App is excluded but DNS goes through VPN β†’ app connects to a geographically inappropriate server because DNS returned a VPN-side answer.
  • App is included but DNS goes through local resolver β†’ destination IP visible to ISP, defeating part of the VPN.

Reputable VPN clients (ours included) handle this correctly β€” split-tunneled apps get their DNS from outside the tunnel, tunneled apps get their DNS from inside. Sketchy implementations may not.

Split tunneling at ClownVPN

Our Android app supports app-based split tunneling. Settings β†’ Split Tunneling lets you:

  • Choose "Include all apps" (default) β€” everything goes through VPN.
  • Choose "Exclude specific apps" β€” selected apps bypass VPN.
  • Choose "Include only specific apps" β€” only selected apps use VPN; everything else direct.

Local network access is always allowed when the VPN is active, so home printers and NAS devices keep working without manual configuration.

Related reading

πŸŽͺ FAQ

When does split tunneling actually help me?
Three common scenarios. (1) Banking apps that block VPN traffic β€” route them outside the tunnel. (2) Local network resources like home printers, NAS devices, smart-home hubs β€” these need your real local IP. (3) Latency-sensitive apps like online gaming where the VPN adds unwanted hops. The downside is that any app you route outside the tunnel is exposed to whatever local network you're on, so use split tunneling deliberately, not by default.
Is split tunneling a security risk?
Yes, on hostile networks. Whatever you route outside the VPN tunnel is unprotected and visible to the network. On your home WiFi where you trust the network, this is fine. On public WiFi or untrusted networks, split tunneling defeats the entire reason you're using a VPN β€” keep everything tunneled in those environments.
What's the difference between app-based and IP-based split tunneling?
App-based (per-app VPN) routes traffic based on which application generated it β€” easier to configure and what most consumer VPNs offer on Android. IP-based routes traffic based on destination IP β€” more flexible but harder to set up because you need to know the IPs of services you want to exclude (which change for cloud-hosted services). App-based is more common; IP-based is more powerful.
Does Android support split tunneling natively?
Partially. Android's VPN API has supported per-app routing since Android 5 (2014), but it's an app-level decision β€” the VPN app has to implement the UI for choosing which apps to include/exclude. Most modern VPN apps including ours support this. iOS has historically been more restrictive β€” per-app VPN is a managed-device feature, not a consumer setting.
Does ClownVPN support split tunneling?
Yes β€” on Android. Settings β†’ Split Tunneling lets you choose which apps go through the VPN and which bypass it. Default is all apps tunneled. We use app-based split tunneling (per-app VPN), not IP-based.

πŸŽͺ Per-App VPN

Banking apps direct. VPN for everything else. Configurable.

πŸ€– Get The Free App