Split tunneling with a VPN

One of the tradeoffs of using a Virtual Private Network (VPN) for increased privacy and anonymity can be speed: slower connections and transmissions. After all, to have our online traffic encrypted end-to-end and for our IP addresses to be masked, our data has to be routed through a proxy server before reaching its destination. This takes time, and how much depends a lot on the capacity and reliability of the VPN server(s) helping us. For most users, these latencies might be negligible, or even imperceptible for day-to-day tasks. For others needing higher network performance, it can be a headache.

Split tunneling is an advanced feature of many modern VPN services that can better optimize VPNs for users in balancing privacy with functionality. It essentially allows users to configure what information, apps, or types of online activities are routed through the VPN, and which bypass it. There might be many reasons for wanting a custom configuration like split tunneling, but it boils down to user options, flexibility, and efficiency.

In this article, we explain what split tunneling is, how it works, and the different possible configurations users can choose from. Split tunneling data with a VPN can also pose risks for your online security. As we will see, choosing a mixnet VPN over a regular VPN can give users an additional option in split tunneling: the majority of traffic can be selected to pass through a fast 2-hop network with excellent security, while only a small quantity of traffic is set to use something like unparalleled 5-hop mixnet mode offered by NymVPN.

If VPN technology is new for you, be sure to read up on how VPNs work to protect your privacy!

What is VPN split tunneling?

First off, network tunneling is a fundamental security feature provided by VPNs to securely transmit data from a user’s device to the VPN’s server. In order to reroute your internet traffic, a VPN first encrypts your data on your device. It then moves it through a “tunneling” protocol, exclusive for each user, to its own server where your IP address is replaced with the VPN’s own. Encryption and tunneling prevent external surveillance and interference in transit: your data is effectively unreadable for outside eyes.

With a VPN activated, all your online activity is routed through the same network tunnel and server(s) by default. This is what is called “full tunneling.” It doesn’t matter whether it is a work email you’re sending, a movie downloading in the background, or incoming app data: everything goes to the VPN server through the same unique tunnel, all things protected equally. But this is not the only way VPNs can be configured.

Split tunneling is an additional feature for some VPNs which allows users to route only selected activity from their device through the VPN. For example, a user might want to use a VPN for one particular task, like a work email account containing sensitive information. They could then browse the web without VPN security and its potential latencies. Tunneling is thus “split” because the user is accessing the web through two different connections at the same time. The possibilities for how users can configure split tunneling, as we will see next, are quite flexible and sophisticated.

To appreciate some of the following benefits of VPN split tunneling, don’t forget that for a VPN to make your activity more anonymous, it replaces your unique IP address with its own. So if the VPN server you’re connected to is in São Paolo, then when you connect to a website, the website will see that you’re in Brazil. This is great if you want to hide where your activity originates, but less efficient for needed services which function by knowing who and where you are.

Different types of VPN split tunneling

Split tunneling on a VPN can be configured in a number ways depending on user needs. Here are some possibilities ordered in terms of the complexities of the procedure:

App-based split tunneling

The most common split tunneling option is when the user selects specific applications to use the VPN, allowing the rest to connect directly to the public web. This is important for specific apps that need more robust security, such as a work email program. Multiple apps can be selected on a case-by-case basis to free up bandwidth and place less stress on the VPN server.

Inverse split tunneling

This “inverse” option selects only specific applications to bypass the VPN, while the remaining internet traffic goes through the VPN. This is useful when a user wants the majority of their data protected, but only needs specific applications to have a direct Internet Service Provider (ISP) connection. Some networks often require local IPs for access, and many apps function properly through geolocation, like weather apps or clocks. Services like streaming platforms can also be set to bypass the general VPN coverage so that you can still access your regional contents – something which might be blocked by the service if your VPN positions you internationally.

Domain-specific split tunneling

Instead of configuring certain apps on your computer for split tunneling, you can even choose particular websites to use the VPN when you attempt to access them, with all other domain requests using the open web. This is a very streamlined and optimized approach for users who only want to remain anonymous and private while accessing certain contents online. However, it’s a substantially less secure approach overall.

Dynamic split tunneling

Like domain-specific split tunneling, more dynamic configurations allow users to include or exclude certain traffic from the VPN tunnel in terms of their DNS domain names. One motivation could be when cyber security services prefer to route unknown or suspicious domain requests through a particular server for enhanced scrutiny, thus allowing other traffic to more efficiently pass through the network.

IPv6 dual-stack networking

There is currently a long and gradual transition between two IP address formats to enlarge the total number of possible addresses available for use (IPv4’s 32-bit address and IPv6’s 128-bit). In the meantime, VPN split tunneling can allow users to selectively access both formats through different channels. This might be important when a company, which internally uses a more vast and optimized IPv6 protocol, also needs its remote and global workers to access IPv4 contents. A VPN split protocol can allow this double and secure means of access for a distributed network of users.

Multiple tunnel split tunneling

Finally, users can even split their traffic so that it passes through two separate VPN tunnels. Some users may need to traffic different kinds of contents between multiple recipient servers without the traffic mixing. Remote workers might have one tunnel to transmit sensitive work documents to their company’s VPN, while using a separate tunnel between their personal cloud server. If configured properly, there is little chance of the two traffics intermixing in the same tunnel or on the same server.

Benefits of VPN split tunneling

Why should we go through the trouble of setting up split tunneling with a VPN? In the end, it depends on what you need a VPN for, and what activities you don’t want a VPN’s potential slowness and delays to affect. Here are some useful benefits:

Faster connections

VPNs function as proxy servers for your online activity. So before you can do something as simple as accessing a website, there are a number of intervening steps: the data of your request must first be encrypted on your device, tunneled to the VPN where it is unencrypted (don’t freak out just yet!), and then sent to the requested destination (the website) before any response is similarly tunneled back to you in the same way. With a quality VPN network, you’ll probably never notice much delay for basic things online. However, this is obviously a longer process than connecting directly to a website through your ISP.

However, if you have a lot of simultaneous online operations happening at once (things downloading, streaming, many open browsers, email pings), then something as simple as spontaneously looking for a restaurant on a search engine might be slower than without the VPN. The worst option is having to turn our VPNs on and off every time we experience connection issues, since each time we do this we temporarily cut the VPN’s protections. Split routing simply allows you to choose in advance what online activities need a VPN and which need optimal speed.

Secure connection for remote work

Given the occasional issues with speed, certain users who need secure and private connections only for work might benefit from split tunneling. For example, a company VPN could be configured to share sensitive information from a designated email, while the rest of your device could use local access for all non-work related traffic. This kind of choice still leaves the majority of your online activity open to surveillance and other cyber attacks targeting your data.

Accessing a Local-Area-Network (LAN) while using VPN

VPNs can cause some problems when trying to use things like printers configured on a LAN network which restrict access to devices on their local network. With a VPN on, the printer’s LAN network might deny you access, since the VPN in fact makes it so your IP address is in another city or country. Split tunneling can be used to make your device’s printing software bypass the VPN network to connect to the LAN network directly.

Accessing foreign and local services at the same time

VPNs can also cause headaches with the geolocation features of some apps. If the VPN is positioning your location in Korea, you don’t really want your weather app giving you the Korean daily highs while browsing in wintery Chicago. Certain apps like these can be configured to use your local network while others pass securely through the VPN.

VPN blocking services

Split tunneling can allow users to access online services that have started to block known VPN IP addresses (which are public). Some streaming services can prohibit access to their contents while using a blocked VPN to prohibit regional users, for instance, from watching content available for other foreign customers – why they even care is a mystery. More legitimately, banks or corporations may block known VPN access to their servers to prevent cyber attacks against their financial systems. Split tunneling gives users an option to maintain overall privacy while permitting access to these needed services.

Split tunneling security risks

VPNs are often turned to for privacy and anonymity online. As we’ve seen, split tunneling configurations have clear benefits for users, such as optimizing data traffic based on what different users may need the VPN for or not. But are there security risks in using a split tunneling setup? Definitely, because you’re choosing to let certain personal data go potentially unprotected!

Compromised data security

When using split tunneling, you are ultimately deciding to make only a portion of what you are doing online anonymous. Whatever does not pass through the VPN can potentially be compromised. This can be through the external surveillance of your browsing habits, the exploitation of any unencrypted sensitive information, and other malicious cyber attacks targeting your data or device. These possibilities are not certain, since the internet now has certain default encryption features protecting users accessing secured sites. But as we’ve seen, the scope of global mass surveillance is much more extensive than anyone thought possible.

Malware infections

In certain cases, VPNs can protect users against hacking and cyber attacks. However, a VPN cannot protect you against malware that is already on your device. By navigating the web with your IP address exposed, and potentially without encryption, you are open to the consequences of data exploitation through malware or spyware. This can happen even through accidental clicks on links and malicious ads. Once on your device, even the information who’ve configured to be encrypted by a VPN could be vulnerable on your end before the VPN can even encrypt it.

Network management and security

For some users in corporate or institutional networks, split tunneling can sometimes make network security management more challenging. It can be difficult to monitor network security if some users allow unencrypted access to the public internet on their devices. In certain business settings, this could lead to financial and legal repercussions for individuals managing sensitive information on their devices.

Configuration errors

The more advanced the configuration settings of VPN split tunneling become, the more risks of errors between the user’s settings and the VPN. If users misconfigure certain apps, or do not include precise enough rules in more complex setups, then sensitive data intended for the VPN can end up directly on the public internet.

Split tunneling: Centralized and mixnet VPNs

Shopping for a VPN: Some key differences

Both traditional and mixnet VPNs can allow for split tunneling, which currently works exactly the same way between the two – the difference will simply be the configurations you can or can’t do. Certain VPN providers might not support some of the configurations described above. It is first important to verify whether any VPN can be configured in the way you need it to be. But the question of privacy lies elsewhere.

Users on the market for a VPN will confront different options, sometimes with confusing distinctions between them. If enhanced privacy and anonymity are your prime concerns, then it’s important to consider two types:

1. First off, there are pretty much all of the mainstream and traditional VPNs. Despite their marketing commitments to user privacy, they almost all rely on the same kind of centralized physical infrastructure: servers they either own or rent (typically from the same service provider). Consider two consequences of this: you must trust the VPN provider with your traffic, and they 88centrally locate it** where it can be vulnerable to data breaches. \
2. In light of this weak security model, new innovative VPNs have been built on decentralized network infrastructures. A mixnet VPN transmits your traffic through a distributed network of many unlinkable servers (or nodes). This design makes data breaches virtually impossible, and surveillance and traffic analysis exceedingly difficult.

Traditional and centralized VPNs might promise better speed for all your traffic. Obviously one-hop is going to be faster than many-hops by default. But how much privacy are we willing to risk for faster network performance?

Is split tunneling safer with a mixnet VPN?

If we pose the question of securing privacy only in terms of split tunneling, then no: it functions in the same way between traditional and mixnet VPNs. Split tunneling configurations are selective modifications of the normal full tunneling VPN encryption in which a user voluntarily creates exceptions to bypass the VPN’s security features. Whatever doesn’t go through the VPN (centralized or decentralized) is potentially vulnerable to surveillance, traffic analysis, and your activities being linked back to you.

Real user privacy is guaranteed by the underlying architecture of the VPN network itself. Centralized, one-hop servers are certainly going to be faster than multi-hop mixnets. But this will be at the cost of using a VPN network which is definitely more vulnerable to data breaches, cyber attacks, and government pressure for user records. Mixnets like NymVPN will give users a further choice in maximally protecting their privacy while almost optimizing performance when needed.

Choose the degree of your own privacy

Split tunneling is all about user preference and being able to choose what traffic goes through a VPN. But what kind of choice is it if we have to pay for speed by risking our privacy? Split tunneling with a mixnet VPN provides us with a third option where we don’t need to compromise our anonymity for performance.

This is our goal with NymVPN, which offers users the choice between a fast and secure 2-hop VPN mode, and a novel 5-hop mixnet mode for enhanced security. Naturally, there will be noticeable latency in trafficking through a mixnet route with 5 intermediary nodes. But the protection it provides is unparalleled. When split tunneling is fully integrated later this year, users will be able to do something that no other VPN on the market can do:

• Activities like gaming, which require fast connections, can connect directly with the internet via the ISP and without any VPN latency (and protection, we need to add)
• The majority of day-to-day traffic can pass through the 2-hop mode which provides more privacy than the majority of default one-hop VPNs, but with a bit more latency
• And certain apps, contents, or domains can be set to use the slower but infinitely more untraceable 5-hop mixnet for extremely sensitive matters.

Conclusion

VPNs continue to be crucial tools in protecting our privacy online. But we’re confronted with a number of new choices: centralized or decentralized VPNs, and now simply decentralized or decentralized mixnets. Usually, the choices between them are practical: optimal speed or optimal privacy?

If overall speed is the primary concern and not privacy, avoiding a VPN altogether might make sense. If both are important, then this need not be an either/or choice: a custom designed split tunneling protocol with an amenable VPN could well balance your speed and privacy needs. After all, users do not all have the same needs: some might need high speed for certain things, and enhanced privacy for others. Split tunneling is a great feature for users to take control of how a VPN can be optimized to work for them.

But if either default or maximal privacy online is your concern, then using a mixnet VPN like NymVPN for all your traffic is the best bet on the market. For users who need the flexibility, NyM is ontrack to incorporating split tunneling into its VPN in 2024. Users will be able to customize their own VPN to use the novel 5-hop mixnet VPN mode for highly sensitive traffic, while the rest can pass through the default fast and secure 2-hop mode. Finally, certain activities like gaming can bypass the NymVPN altogether.

Join the NymVPN community and let’s take a new control over our own online experience and privacy.