Split Tunneling VPN Explained: Balancing Security and Performance

What is split tunneling in a VPN?

Split tunneling is the process of allowing a remote VPN user to access a public network, such as the Internet, at the same time that the user is allowed to access resources on the VPN.

When you set up split tunneling, only traffic that is destined for the subnets on your Internal LAN will go through the encrypted VPN tunnel. Other traffic will go through your employee's regular internet traffic. By using the user's local internet for non-VPN traffic, split tunneling avoids overloading the company network.

Split tunneling helps balance two key priorities of any business: performance and security. It can benefit virtually any company that needs to increase their remote employment capabilities without decreasing productivity. And split tunneling doesn’t have to be complicated: with the right VPN, setup is fast and easy, and you can continue business as normal, regardless of the situation.

For a helpful overview of internet access configuration as it relates to CloudConnexa, check out this guide.

VPN encryption explained

VPN encryption is the process of converting data into an unreadable format to protect it from unauthorized access as it travels between your device and the VPN server. Encryption methods vary depending on the protocols and ciphers used by the VPN provider, but the goal is always the same: to secure your data and ensure privacy.

Common encryption methods

Below are key VPN encryption methods:

Symmetric encryption: This method uses the same key for both encryption and decryption of data. Common symmetric encryption algorithms include AES (Advanced Encryption Standard), which is widely used by VPNs due to its balance between speed and security. AES comes in different key lengths, such as 128-bit, 192-bit, and 256-bit, with the latter being considered the most secure.
Asymmetric encryption: Asymmetric encryption uses two different keys: a public key for encryption and a private key for decryption. The RSA (Rivest-Shamir-Adleman) algorithm is a common example of this, and it plays a vital role in establishing secure connections in many VPN protocols, particularly during key exchange.
Perfect Forward Secrecy (PFS): PFS is an additional layer of security where unique encryption keys are generated for each session. Even if a session’s key is compromised, it won’t affect previous or future sessions because the keys are temporary. PFS is commonly used with protocols like OpenVPN.
Hashing: VPNs use hashing to ensure the integrity of data by verifying that the data has not been tampered with. Algorithms like SHA-256 (Secure Hash Algorithm) are often used in this process. Hashing ensures that if even one bit of the data changes, it will produce a completely different hash, alerting the system to potential tampering.

Why encryption is key to data privacy

Encryption is crucial in maintaining data privacy, especially in a world where online threats and surveillance are prevalent. VPN encryption methods, such as symmetric and asymmetric encryption, play a key role in securing data during transmission. Here’s why encryption matters for VPNs:

Protection against hackers: Encryption shields sensitive data like passwords, financial information, and personal messages from being intercepted by hackers. Without encryption, any data traveling across the internet could easily be stolen, particularly when using unsecured public WiFi networks.
Preventing ISP monitoring: Internet service providers (ISPs) can log your browsing activity and sell this data to advertisers or provide it to government agencies. VPN encryption prevents your ISP from seeing what websites you visit or what content you download, thereby protecting your online privacy.
Ensuring data integrity: VPN encryption ensures that the data transferred between your device and the server has not been altered. Even if someone intercepts the data, encryption prevents them from making changes without rendering the data useless.
Compliance with privacy regulations: Businesses often use VPNs to comply with privacy regulations such as GDPR, HIPAA, and CCPA. By encrypting sensitive customer data, companies can ensure they are protecting this information in transit, thereby avoiding potential legal consequences and fines.
Anonymity and freedom of speech: In countries where internet usage is heavily censored or monitored, encryption allows individuals to access restricted content and communicate freely without fear of surveillance or reprisal.

Comparing common encryption protocols used in VPNs

Different VPN protocols use various encryption methods, and each has its strengths and weaknesses. Here’s a comparison of common encryption protocols:

Protocol	Encryption Method	Strengths	Weaknesses	Best For
OpenVPN	AES-256 (encryption), RSA-2048 (key exchange), SHA-256 (integrity)	Highly secure, supports Perfect Forward Secrecy (PFS), open-source, highly configurable	Slower than other protocols due to strong encryption	High-security needs, such as business networks or protecting sensitive personal data
IKEv2/IPSec	AES-256, combined with IPSec for secure tunneling	Excellent speed and stability, especially on mobile networks, supports seamless reconnection	Slightly less configurable than OpenVPN	Mobile devices or users who need quick reconnections when switching between networks
WireGuard	ChaCha20 (encryption), Poly1305 (authentication)	Lightweight, faster than OpenVPN and IKEv2, simpler codebase, efficient	Still relatively new, less widely audited for security	High-speed connections, low-resource devices, general users who want strong security with minimal performance loss
L2TP/IPSec	AES with IPSec for secure tunneling	Easy to set up, more secure than PPTP	Slower due to double encapsulation, older and less secure than newer protocols	Compatibility and ease of setup, not focused on high-security needs
PPTP	MS-CHAP v2 authentication, MPPE encryption	Fast, simple to set up, widely supported	Obsolete, highly vulnerable to security exploits, considered insecure	Speed is more important than security, such as accessing geo-restricted content (not recommended for privacy)

No two protocols are the same; while each has its strengths and weaknesses, choosing the right protocol depends on the balance between security, speed, and specific use cases.

How split tunneling works

Traffic routing in split tunneling

How traffic is routed in split tunneling vs. full tunneling

The key difference between split tunneling and full tunneling in a VPN lies in how internet traffic is routed through the VPN connection. Full tunneling encrypts all traffic and routes it through the VPN, offering maximum security but often at the cost of slower internet speeds. In split tunneling, only selected traffic is encrypted. This provides better performance and bandwidth management but poses higher security risks for unencrypted traffic.

Here’s a quick visual comparison of the two options:

Feature	Full-Tunnel VPN	Split-Tunnel VPN
Security	Encrypts ALL internet traffic	Encrypts only selected traffic (configurable)
Data Leakage	Minimized risk	Potential exposure of non-VPN traffic
Privacy	Enhanced online anonymity	IP address exposed for non-VPN traffic
Performance	Slower due to additional encryption overhead	Faster due to bypassing VPN for some traffic
Local Network Access	Limited (may require additional configuration)	Maintains access to local network resources
Use Cases	Ideal for high-security environments, public WiFi	Balancing security with performance, accessing local resources

How traffic routing decisions can impact your network performance and security

Because split tunneling allows users to route some traffic through a VPN while sending the rest through their local internet connection without encryption, this can impact both network performance and security.

Network performance

Improved speed and bandwidth efficiency: Routing only specific traffic through the VPN reduces the amount of encrypted traffic going through the VPN server. This frees up bandwidth for tasks that don’t require encryption, leading to faster speeds for activities like streaming, downloading, or general browsing.
Reduced VPN server load: By not routing all traffic through the VPN, split tunneling decreases the load on the VPN server, reducing potential latency or bottlenecks and improving overall performance for the critical, encrypted traffic.
Optimized resource usage: In corporate environments, split tunneling allows non-sensitive data (such as software updates or general web traffic) to bypass the VPN, preventing congestion and ensuring high-priority data (such as remote desktop sessions or sensitive file transfers) has sufficient bandwidth.

Security implications

Potential exposure to threats: While split tunneling enhances performance, it compromises security for traffic not routed through the VPN. Unencrypted data can be intercepted, and users may expose themselves to potential threats like malware or eavesdropping, especially when connected to unsecured public networks.
Lack of full anonymity: The traffic that bypasses the VPN is visible to the user's ISP and can be subject to logging or monitoring. This might negate some of the privacy benefits provided by a VPN.
Risk of misconfiguration: Incorrect routing decisions or poorly implemented split tunneling can result in sensitive traffic being unintentionally sent over the unsecured network. For example, an application that handles both sensitive and non-sensitive data could leak secure data if not properly configured.

Examples of scenarios where split tunneling routing can be advantageous

There are many real-world cases where split tunneling offers clear benefits by balancing security and performance.

Remote work for businesses

In corporate environments, split tunneling is often used to route work-related traffic (e.g., accessing corporate servers, databases, or internal applications) through the VPN while non-work-related traffic (e.g., streaming music, browsing the internet) is routed through the regular internet. This ensures secure access to the company network while maintaining high performance for non-essential tasks.

Accessing local network devices

If a user is connected to a VPN but wants to access local devices like printers, network storage, or smart home devices on the same network, split tunneling allows local traffic to bypass the VPN. This prevents disruptions in local network services while ensuring that sensitive data is still routed securely.

Large file downloads and updates

Downloading large files (e.g., operating system updates or software patches) over a VPN can strain both the VPN server and the user's bandwidth, slowing down both the download and other activities. With split tunneling, users can download updates via their normal internet connection while continuing to route critical data (e.g., VoIP calls, remote desktop sessions) through the VPN.

Advantages of secure connections

In split tunneling, secure connections balance privacy and performance. Sensitive activities (e.g., banking, emails) are encrypted, while non-sensitive tasks bypass the VPN for speed. This saves bandwidth for critical data and improves overall network efficiency. Customization allows users to decide which traffic uses secure connections, protecting sensitive information without sacrificing performance.

Ensuring data privacy and protecting against cyber threats

Secure connections ensure privacy by encrypting data, preventing unauthorized access. They protect against man-in-the-middle attacks, especially on public networks, and prevent ISPs from tracking or logging user activity. For businesses, secure connections safeguard customer data and intellectual property, reducing the risk of data breaches.

Real-world examples of situations where secure connectivity is key

Maintaining a secure connection is essential in a variety of situations. In a remote work/hybrid work scenario, employees accessing corporate networks remotely need secure VPN connections to protect sensitive data from hackers. Additionally, travelers and remote workers using public WiFi rely on VPNs to protect personal information from cybercriminals. And as we’ve seen in so many healthcare-related cyberattacks of late, secure VPN connections for healthcare organizations are vital for protecting patient data and ensuring compliance with regulations like HIPAA.

Secure connections in split tunneling maintain speed while ensuring that sensitive data is protected through encryption, reducing the risk of privacy breaches and cyberattacks.

Benefits of split tunneling for organizations

Split tunneling offers significant advantages for businesses, balancing security and efficiency. By allowing users to route specific traffic through a VPN while other traffic bypasses it, organizations can optimize performance, conserve bandwidth, and ensure smooth access to critical resources.

Bandwidth conservation strategies

One of the key benefits of split tunneling is the ability to conserve bandwidth. In a traditional VPN setup, all traffic is routed through the VPN server, potentially leading to congestion and slowdowns. However, with split tunneling, businesses can implement strategies that reduce unnecessary traffic while maintaining security for sensitive data.

Prioritizing critical traffic

Organizations can configure their VPN to ensure that only critical traffic, such as corporate emails, file transfers, or sensitive application usage, is routed through the VPN. Meanwhile, non-essential traffic like streaming videos, social media, or software updates can bypass the VPN, conserving bandwidth for more important tasks.

Optimizing data compression

Another effective strategy is using data compression techniques within the VPN configuration. By compressing data before it is sent through the VPN tunnel, organizations can reduce the amount of bandwidth used, allowing more data to be transmitted efficiently.

Bandwidth management tips

To manage bandwidth effectively, companies should regularly monitor network traffic to identify bottlenecks. Setting up policies to control how traffic is routed and prioritizing critical tasks ensures that bandwidth is allocated where it’s needed most. Additionally, businesses can implement Quality of Service (QoS) policies to prioritize business-critical traffic.

Local resource access in split tunneling

Split tunneling offers the unique advantage of allowing employees to access local network resources, such as printers, storage devices, and intranet applications, without disconnecting from the VPN. This is especially useful in scenarios where workers need simultaneous access to secure corporate networks and local devices. Here a couple examples:

Productivity and efficiency

Being able to access local resources while maintaining a secure VPN connection ensures that employees don’t have to toggle between networks or sacrifice security to access essential tools. For instance, a remote worker might need to print documents on a local printer while staying connected to a VPN to access company files. Split tunneling ensures that both tasks can be accomplished simultaneously, leading to improved productivity.

Seamless workflow

By enabling local resource access, split tunneling ensures that workflow is uninterrupted. Employees don’t face delays or technical issues when switching between local and VPN-connected tasks, making it easier to collaborate, share files, and work efficiently.

Improved speeds with split tunneling

Another major benefit of split tunneling is improved internet speed for certain applications. By allowing non-sensitive traffic to bypass the VPN, split tunneling reduces the load on the VPN server, allowing high-bandwidth tasks to run smoothly without compromising essential security protocols.

Speed improvements

Since encrypted traffic requires more processing power and bandwidth, routing all traffic through a VPN can slow down applications that don’t need encryption, like video calls, streaming, or large downloads. Split tunneling alleviates this by allowing these bandwidth-heavy applications to use the direct internet connection, resulting in faster speeds.

Factors that contribute to speed gains

The speed improvements in split tunneling depend on several factors, including the bandwidth of the direct connection, the processing load on the VPN server, and how well the traffic is distributed. By reducing the data passing through the VPN, there is less strain on the server, which can lead to noticeably faster performance for both VPN-protected and non-protected tasks.

Security considerations for split tunneling

While split tunneling improves performance, it can introduce security risks. Addressing these is key to maintaining a secure network.

Risks of bypassing security protocols

Split tunneling can inadvertently expose users to vulnerabilities when traffic bypasses the VPN, making it susceptible to interception on untrusted networks. This puts data integrity and confidentiality at risk.

Unsecured traffic paths

By allowing certain traffic to travel outside the VPN, organizations risk exposing sensitive information. Attackers could exploit unsecured connections, especially in public WiFi settings, to steal data or inject malware. Unencrypted traffic, especially when routed through non-secure channels, may be intercepted or altered.

Mitigation strategies

Use split tunneling selectively: Only allow low-risk traffic (e.g., streaming or general web browsing) to bypass the VPN while keeping sensitive traffic encrypted.
Regularly monitor traffic: Implement network monitoring tools to track which traffic bypasses the VPN and to detect any unusual behavior.
Deploy endpoint security measures (see below) to ensure that devices accessing non-VPN traffic remain secure.

Endpoint protection measures

Ensuring strong endpoint protection is essential in split tunneling setups, as endpoints are often the first target of cyberattacks. By reinforcing device security, organizations can minimize the risks associated with split tunneling.

Antivirus software and firewalls

Devices must be equipped with up-to-date antivirus software and properly configured firewalls to protect against malicious traffic that may bypass the VPN. Firewalls can block incoming threats, while antivirus software scans files for potential malware or viruses.

Endpoint security strategies

Enable multi-factor authentication (MFA) and device encryption.
Regularly update and patch devices to protect against vulnerabilities.

Best practices for endpoint protection

Automate updates to ensure that antivirus software and firewalls are consistently up to date.
Implement device-level encryption to protect data in the event of theft or loss.
Use remote monitoring and management tools to track endpoint activity and address security issues quickly.

Data encryption best practices

In split tunneling configurations, robust data encryption is crucial for protecting sensitive traffic. Even when only a portion of traffic is routed through the VPN, it is essential that the encrypted traffic remains secure and uncompromised. Here are some key points to consider:

Encryption standards: Use AES-256 or higher to protect data transmitted through the VPN.
Key management: Rotate encryption keys regularly and store them securely to prevent unauthorized access.
Additional security measures: Implement certificate-based authentication. And audit encryption protocols regularly to keep up with the latest standards.

Implementing split tunneling in your VPN strategy

To optimize split tunneling and reduce risks, careful planning and configuration are essential. Here are ten best practices we recommend to get you started:

Limit split tunneling to non-sensitive traffic
Define clear policy-based routing rules
Monitor traffic regularly
Use strong encryption for VPN traffic
Keep VPN clients and endpoints updated
Implement endpoint security solutions
Deploy URL- and app-based filtering
Audit split tunneling configurations regularly
Use a zero trust security model
Educate users on secure practices

Policy-based routing strategies

Policy-based routing allows organizations to control traffic flows based on predefined criteria, giving them more flexibility in how split tunneling is implemented.

Customize traffic flows

Policy-based routing enables businesses to prioritize VPN traffic based on predefined criteria like application type, source (IP address), or destination. For instance, traffic related to corporate databases or financial applications can be automatically routed through the VPN, while other traffic bypasses it.

One example of a common rule is to include routing only corporate network traffic through the VPN while allowing internet-bound traffic to take a direct path.

Tips for policy-based routing

Define clear policies based on traffic sensitivity.
Regularly review routing rules to ensure they meet business security needs.

App-based configuration options

VPN applications often offer app-based configuration options for split tunneling, allowing end users and administrators to specify which apps should use the VPN and which can bypass it.

User and admin benefits of app-based configuration

For end users, app-based split tunneling offers convenience by automatically routing only necessary traffic through the VPN. For administrators, it allows granular control over which applications are protected, ensuring that sensitive apps always use encrypted tunnels.

How to choose the right VPN app

Select VPN apps that offer customizable app-based split tunneling options.
Ensure the app provides clear traffic monitoring to help users see what’s protected.

URL-based exclusions for optimization

URL-based exclusions can be used to optimize split tunneling by allowing organizations to specify certain websites or domains that can bypass the VPN.

Improving performance with URL-based exclusions

For non-sensitive sites, URL-based exclusions can improve speed by allowing traffic to avoid the encryption process. This is particularly useful for high-bandwidth tasks like video streaming or accessing public websites.

Security considerations for URL-based exclusions

While URL-based exclusions can boost performance, it’s important to ensure that no sensitive traffic is excluded from the VPN tunnel. Organizations should carefully vet URLs before adding them to the exclusion list.

Configuring URL-based exclusions

Create a list of trusted URLs for exclusion.
Regularly audit the list to ensure only non-sensitive sites are bypassing the VPN.

Setting up split tunneling

The Internet Access setting can be configured directly on individual User Groups, Hosts, and Networks. Still, the Access > Internet section allows you to view, filter, search, and change the Internet access settings of all User Groups, Networks, and Hosts in one central place. To change the internet access settings from this central place, follow the steps below:

Login to your WPC's Administration portal by entering your WPC's Cloud ID in the address bar of your web browser. For example, [company_name].openvpn.com.
Navigate to Access > Internet.
Based on the entity whose internet access needs to be changed, select one of the three tabs: User Groups, Networks, or Hosts.
Use the filters or search to help narrow down the displayed list.
Click on the edit (pencil) icon next to the entry that needs to be changed.
Select the required setting from the Internet Access drop-down menu.

Note:
'All Internet Gateways' will be chosen by default as Internet Gateway when 'Split Tunnel Off' is selected.
Click Update Internet Access.

Split tunneling use cases for remote work

Performance improvements with split tunneling

In terms of performance improvements, split tunneling provides a major win, especially for remote workers. This setup frees up bandwidth for non-sensitive tasks, allowing your entire team to work securely and efficiently.

Secure file access benefits

By using split tunneling, remote workers can securely access company files via the VPN while simultaneously using local network resources.

As such, you’re likely to see enhanced collaboration across remote teams. Secure file access through a VPN allows remote teams to collaborate seamlessly by ensuring that sensitive files can be safely accessed, shared, and updated in real-time without risking exposure to unauthorized users.

In addition, secure file access helps organizations meet regulatory compliance requirements, such as GDPR or HIPAA, by ensuring that sensitive data, such as customer records or financial information, is always transferred over encrypted channels, even when split tunneling is enabled.

Advantages of streaming and local content access

Split tunneling also allows workers to access local content or stream media without putting a strain on the VPN, making it ideal for balancing work and leisure activities.

Importance of LAN device connectivity

Remote employees who need access to local area network (LAN) devices, such as printers or local servers, also benefit from split tunneling. It allows them to connect to these devices without disconnecting from the VPN — again, enhancing efficiency while ensuring security.

Choosing the right VPN solution for split tunneling

Selecting the right VPN solution that supports split tunneling, while also offering robust security features, is critical for organizations looking to optimize performance without compromising security. A well-designed VPN can strike the perfect balance between efficiency, flexibility, and protection, ensuring that both critical and non-critical traffic is handled appropriately.

Understanding zero trust architecture

Integrating a zero trust architecture ensures that split tunneling is part of a broader security strategy where no traffic is inherently trusted, further protecting data.

With the rise of zero trust security models, selecting a VPN that supports or integrates with zero trust architecture can enhance overall network security. Zero trust principles require continuous authentication and verification of every user, device, and piece of data, reducing the risk posed by unsecured traffic in split tunneling configurations. VPNs that are compatible with zero trust environments ensure that security is maintained, even for traffic routed outside the encrypted tunnel.

Integration of endpoint security features

It's crucial to select a VPN that integrates seamlessly with existing endpoint security tools such as firewalls, antivirus software, and intrusion detection systems. This integration provides a layered defense, ensuring that even traffic bypassing the VPN is monitored and protected at the device level. Look for VPN solutions that offer endpoint security features as part of their package or that are compatible with industry-standard security solutions.

Network security solutions with robust split tunneling features

Choose VPNs with advanced security features, such as policy-based routing and app-based configuration, to maximize the benefits of split tunneling.

OpenVPN equips users of both Access Server and CloudConnexa to take advantage of the benefits of split tunneling.

Check out this tutorial on using CloudConnexa for remote access, complete with split tunneling guidance. For detailed instructions on setting up split tunneling on your Access Server, see our resource: Understanding how split tunneling works with OpenVPN Access Server.

Split Tunneling VPN FAQs

What is the impact of split tunneling on network security?

A: By excluding some traffic from the VPN, split tunneling exposes that traffic to potential interception on untrusted networks. This is a concern for sensitive data. Such data should always be routed through the VPN to minimize risk.

How does split tunneling affect remote worker productivity?

A: Split tunneling can improve performance for tasks that don't require the VPN, like accessing local network printers or file servers. This can boost productivity and be beneficial for remote workers.

Can split tunneling be used with all VPN clients?

A: Most modern VPN clients offer split tunneling functionality. However, configuration options may vary between clients, requiring some IT management effort.

Get started today with an OpenVPN solution

OpenVPN customers love their experience with our products, and we have the G2 awards to prove it.

An Access Server user in education management put it this way:

“We found OpenVPN to be a reliable and scalable VPN solution with good security features. The user interface is web based and easy to use. We found the split tunneling feature very useful not having to route all traffic back through our network.”

And a CloudConnexa user agrees that it was “extremely easy to enable things like tunneling.”

So why wait? Sign up for free to get started with Access Server and CloudConnexa. You can also sign up for a product demo here.

Looking for less commitment? We get it! Check out our interactive product demo to see what our platform looks and feels like before you sign up.