Split tunneling is a VPN configuration where some traffic routes through the encrypted tunnel and other traffic bypasses it. Common use cases: corporate VPN where work resources go through the tunnel and personal browsing does not, gaming where the VPN-induced latency would harm gameplay, banking and streaming services that block VPN traffic, and per-app exclusions for software that breaks under VPN. Available on most VPN clients as Settings, Split Tunneling.
What it means in practice
The structural trade-off: split tunneling reduces the operational friction of always-on VPN at the cost of leaving some traffic on the unprotected network. The privacy implications depend on which traffic is excluded. Excluding banking and streaming from the VPN: usually fine, the privacy concern for those apps is managed by the apps’ own encryption. Excluding everything except a specific work resource: usually fine for the corporate VPN use case but defeats the broader privacy benefit of the personal VPN. Excluding by accident: the structural failure mode where the user does not realize a particular app is bypassing the VPN. The discipline is to audit the split-tunneling configuration explicitly and to assume excluded traffic is on the open network; for high-target users, the rule is usually no split tunneling (the VPN is on for everything) with the corporate-VPN scenario handled by routing through both tunnels.
Where it shows up
Available in: Mullvad (Settings, Split Tunneling, with per-app exclusions on desktop), Proton VPN (Settings, Connection, Split Tunneling), NordVPN, Surfshark, Windscribe, and most major consumer VPN clients. Used appropriately for: gaming or video calls where the VPN latency creates problems but the privacy benefit is not critical for those specific apps, corporate-VPN scenarios where work and personal traffic should route differently, and apps that break under VPN (banking apps with aggressive geo-detection, some streaming services). Used inappropriately for: the privacy-critical traffic you assumed was protected but configured into the bypass list, the recovery email and password manager logins that should always go through the VPN, and the social-media accounts that ad-targeting networks would correlate via the unprotected IP.
What you can change today
Audit the split-tunneling configuration on your VPN client. Open the client, find Split Tunneling settings, walk through the apps and protocols configured to bypass the tunnel, and remove anything that should not be bypassing. The default for most users should be no split tunneling: the VPN is on for everything, the apps that break under VPN get short-term bypasses logged to fix later rather than long-term exclusions. For corporate-VPN scenarios where personal and work traffic genuinely need different paths, configure two VPN profiles (personal Mullvad always-on, corporate work-resource on demand) rather than mixing them in a single split-tunnel configuration that is harder to verify.
