Hubbry Logo
Split tunnelingSplit tunnelingMain
Open search
Split tunneling
Community hub
Split tunneling
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Split tunneling
Split tunneling
Split tunneling
View on Wikipedia
from Wikipedia

In computer networking, split tunneling allows a user to access distinct security domains at the same time, using the same or different network connections.[1] This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN NIC, and virtual private network client software application. Split tunneling is most commonly configured via the use of a remote-access VPN client, which allows the user to simultaneously connect to a nearby wireless network, resources on an off-site corporate network, as well as websites over the internet.

A split tunnel configured to only tunnel traffic destined to a specific set of destinations is called a split-include tunnel. When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a split-exclude tunnel.[2][3][4]

Not every VPN allows split tunneling.[5][6][7] Advantages of split tunneling include alleviating bottlenecks, conserving bandwidth (as internet traffic does not have to pass through the VPN server), and enabling a user to not have to continually connect and disconnect when remotely accessing resources..[citation needed] Disadvantages include potentially bypassing gateway-level security that might be in place within the company infrastructure.[8] Internet service providers often use split tunneling to that implement for DNS hijacking purposes.

[edit]

Inverse split tunneling

[edit]

An "inverse" split tunnel is one that allows all datagrams to enter the tunnel, except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor. This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device's network interface driver, group policy object or anti-malware agent. This is related in many ways to network access control (NAC).[9]

Dynamic split tunneling

[edit]

A form of split-tunneling that derives the IP addresses to include/exclude at runtime-based on a list of hostname rules/policies.[10]

IPv6 dual-stack networking

[edit]

Internal IPv6 content can be hosted and presented to sites via a unique local address range at the VPN level, while external IPv4 & IPv6 content can be accessed via site routers.

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Split tunneling

View on Grokipedia
from Grokipedia
Split tunneling is a networking technique used in virtual private network (VPN) configurations that allows a remote user or device to route only organization-specific traffic through a secure VPN tunnel while directing all other traffic directly through the user's local internet gateway, thereby splitting the data paths between encrypted and unencrypted connections. This approach contrasts with full tunneling, where all traffic is forced through the VPN, and is commonly implemented to optimize resource usage in remote access scenarios. In practice, split tunneling operates by defining access control lists (ACLs) or route policies on the VPN gateway—such as those on Cisco Adaptive Security Appliances (ASA)—to specify which IP subnets, hosts, or applications send data via the tunnel, with the remainder bypassing it for faster local access. Microsoft Windows VPN profiles, for instance, support this through the VPNv2 Configuration Service Provider (CSP), where administrators can configure include or exclude routes to direct traffic selectively, often via tools like Microsoft Intune for enterprise management. Key benefits include reduced bandwidth consumption on the corporate VPN infrastructure, improved performance for non-sensitive activities like web browsing or streaming, and better scalability for large remote workforces, as seen in optimizations for Microsoft 365 traffic. However, it introduces security risks by potentially exposing non-tunneled traffic to threats on the user's local network or the public internet, such as malware infections or data leaks, unless mitigated with endpoint protection and strict policy enforcement. Split tunneling has become increasingly relevant in hybrid work environments, particularly since the early 2000s with the maturation of VPN technologies, enabling dynamic configurations like Cisco's AnyConnect or Microsoft's split tunnel for Teams media to balance security and efficiency. Configurations can be static, based on predefined routes, or dynamic, adapting to application needs, but require careful auditing to ensure compliance with standards like NIST SP 800-53, which recommends controls to prevent unauthorized external access. Overall, while it enhances and network efficiency, organizations must weigh these gains against the need for robust threat detection to maintain .

Definition and Basics

Definition

Split tunneling is a networking technique that allows a user's device to simultaneously connect to multiple networks or security domains, such as a local network, a corporate intranet, and the public internet, by routing specific traffic through a secure virtual private network (VPN) tunnel while directing other traffic via direct connections. In this approach, typically implemented in remote-access VPN clients, only selected data packets—often those destined for internal organizational resources—are encapsulated within an encrypted tunnel to ensure secure transmission over public networks, enabling controlled access without forcing all internet activity through the VPN. This method contrasts with full tunneling, where all outbound traffic from the device is routed through the VPN gateway, regardless of its destination. The primary purpose of split tunneling is to optimize and resource utilization by avoiding unnecessary and bandwidth consumption for non-sensitive , such as general web browsing or streaming, which can instead use the user's default gateway. For instance, in corporate environments, it permits remote employees to securely access proprietary systems or databases via the VPN while allowing everyday online activities to bypass the tunnel for faster speeds and reduced load on the organization's . This selective is configured based on criteria like IP addresses, domains, or applications, ensuring that tunneling serves as a secure path primarily for protected resources.

History

Split tunneling emerged in the mid-1990s as a configuration option in early remote access VPN protocols, notably alongside the (PPTP), which was developed by and a of companies including Ascend Communications, , and to enable secure dial-up connections over the public . PPTP, introduced in 1996, supported split tunneling through client settings that allowed users to route only specific traffic through the VPN while directing other traffic directly to the local connection, addressing the limited bandwidth of dial-up modems prevalent at the time. The feature gained popularity in the early 2000s with the advent of enterprise-grade VPN solutions, particularly as began replacing dial-up but bandwidth constraints persisted for remote workers. Systems played a key role in its widespread adoption by incorporating split tunneling into its remote access products; in 1999, following user feedback during testing, Altiga Networks added the capability to its VPN appliances, which acquired in March 2000 and rebranded as the VPN 3000 Series concentrator. Similarly, integrated split tunneling into its SSL VPN offerings around the mid-2000s, enhancing remote access efficiency in enterprise environments where full tunneling would overload connections. These implementations were driven by the need to optimize performance during the transition to , allowing corporate traffic to traverse the VPN while permitting local without unnecessary overhead. By 2005-2010, split tunneling had become a standard feature in major VPN clients and appliances, with Cisco's release of the ASA 5500 series in 2005 merging firewall and VPN functionalities that included advanced split tunneling policies, and the introduction of the AnyConnect client in 2006 further standardizing it across platforms. Adoption accelerated post-2010 amid the growth of and services, as organizations sought to balance with performance; for instance, the rise in distributed workforces from 2010 onward, fueled by , prompted wider use of split tunneling to route only internal resources through VPNs while accessing SaaS applications directly. This trend intensified dramatically during the starting in , when global lockdowns led to a surge in — with remote workers increasing by over 400% in some regions from pre-pandemic levels—overloading traditional VPN infrastructures and driving widespread of split tunneling to optimize bandwidth for essential corporate traffic while allowing direct for other activities. As of 2025, split tunneling remains a core feature in hybrid work models, supporting efficient access in distributed environments.

Technical Implementation

Mechanism

Split tunneling functions by selectively routing network traffic through a virtual private network (VPN) tunnel while directing the remainder via the local connection, leveraging the foundational VPN encapsulation process where data packets are wrapped in a secure protocol for transmission over an untrusted network. The process begins when the VPN client establishes a secure to the VPN server using protocols such as or , creating a virtual interface on the client device. Once the is active, rules—defined by criteria like destination IP addresses, ports, or domains—are applied to classify . These rules direct matching , such as packets bound for corporate , into the encrypted for encapsulation and forwarding to the server, while non-matching , like general web browsing, bypasses the tunnel and follows the client's to the local gateway. The client then updates its operating system's to implement these decisions, ensuring persistent separation of paths during the session. Key components enabling this mechanism include modifications to the client's routing tables, which add specific entries pointing to the VPN interface for selected destinations while preserving the original for others. (PBR) extends this by allowing decisions beyond simple IP destinations, incorporating factors like protocols or source interfaces to enforce the split. Application-layer proxies may also intervene, inspecting traffic at higher OSI layers to redirect it accordingly. In IPsec implementations, split routes encapsulate targeted packets using protocols like Encapsulating Payload (ESP), routing them via the tunnel interface. achieves similar results by pushing route directives from the server, which the client integrates into its table to route only defined subnets through the tunnel. Regarding traffic flow, corporate-bound packets originating from the client are first evaluated against the routing rules; if they match, they undergo encapsulation within the VPN protocol and are transmitted to the server over the tunnel, where they are decapsulated and forwarded to the internal network. In contrast, general internet packets that do not match the rules proceed directly to the local ISP gateway without encapsulation, utilizing the client's native network interface for faster, unencrypted transit. This dual-path approach relies on the VPN encapsulation basics, such as adding security headers to protect tunneled data while leaving local traffic untouched.

Configuration Methods

Client-side configuration of split tunneling typically involves modifying VPN client settings to exclude specific routes or applications from the tunnel. For instance, in Windows built-in VPN, administrators can enable split tunneling by editing the connection properties in the Network and Sharing Center, where routes are specified to direct only certain traffic over the VPN while allowing other traffic to use the local interface. Similarly, AnyConnect Secure Mobility Client supports split tunneling through its profile editor, where users or admins define IP address ranges or application-based rules to bypass the tunnel, such as excluding local LAN access via the "AllowLocalLanAccess" parameter in the client profile XML. For OpenVPN clients, split tunneling can be enabled by editing the .ovpn configuration file. Administrators or users should first create a backup of the file. Then, append the following lines at the end: pull-filter ignore "redirect-gateway" and pull-filter ignore "redirect-gateway def1". Optionally, to handle IPv6, add pull-filter ignore "route-ipv6". These directives instruct the client to ignore server-pushed configurations that would redirect all traffic through the VPN, while still accepting specific routes for corporate resources. After saving the changes, reimport the configuration into the client application, such as Passepartout on iOS, and disable any "Route all traffic" option if available before connecting. Server-side policies for split tunneling are enforced at the VPN gateway to control based on administrative rules. These policies often distinguish between split-include modes, which only specified IP ranges (e.g., corporate subnets), and split-exclude modes, which all except designated exclusions like public destinations. Dynamic assignment of such policies can integrate with protocols like or LDAP; for example, firewalls use LDAP attribute maps to assign group policies dynamically upon user , pushing tailored split tunneling rules to clients based on user roles or directory groups. FortiGate devices similarly configure server-side split tunneling in SSL VPN settings, defining addresses that push selective routes to clients via the FortiClient. Integration with firewalls enhances policy enforcement for split tunneling. FortiGate firewalls enable split tunneling by configuring SSL VPN portals with split tunneling enabled and defining firewall policies that route only internal through the tunnel while excluding external destinations. firewalls, through GlobalProtect gateways, support split tunneling based on access routes, domains, or applications, where administrators configure selection lists to include or exclude specific flows at the gateway level. For mobile devices, (MDM) solutions facilitate split tunneling by deploying VPN profiles; , for example, configures per-app VPN policies for and Android, enforcing split rules that tunnel only managed app while allowing personal apps to bypass the VPN. Best practices for initial split tunneling setup emphasize thorough verification to ensure correct traffic segregation. Administrators should test configurations using tools like to compare paths for tunneled versus excluded destinations, confirming that internal resources route via the VPN while external ones use the direct connection. This testing, combined with route table inspections post-connection, helps identify misconfigurations early and validates the overall split behavior without disrupting user access.

Benefits and Drawbacks

Advantages

Split tunneling conserves bandwidth by general directly through the user's local , bypassing the VPN server and thereby reducing the load on organizational networks. This approach alleviates the need for all data to traverse centralized gateways, which can otherwise strain resources and increase operational costs for enterprises with limited bandwidth allocations. By avoiding the and overhead of full tunneling for non-sensitive , split tunneling improves connection speeds and reduces latency, particularly for bandwidth-intensive activities such as video streaming or large file downloads. Users experience smoother performance in these scenarios because the follows the most direct path to public destinations, rather than detouring through remote VPN servers. Split tunneling enhances user flexibility by allowing seamless access to local network resources, such as printers or shared drives, without requiring a full VPN disconnection or reconfiguration. This capability is especially valuable in environments, where it helps mitigate bottlenecks associated with routing all traffic through a single , enabling multitasking between corporate and personal activities. For large-scale deployments, split tunneling promotes network efficiency by distributing loads more evenly, as only corporate-bound data consumes VPN resources, supporting for organizations with numerous remote users. This selective prevents congestion at central points, optimizing overall throughput without compromising access to essential internal systems. In environments subject to internet censorship, split tunneling combined with routing all DNS queries through a remote server via proxy using DNS over HTTPS (DoH), such as Google's public resolver accessed through the VPN, enables selective VPN routing for blocked sites. This setup eliminates ISP DNS poisoning or timeouts by ensuring all queries receive accurate IP addresses from a clean resolver. Subsequently, only traffic to those target domains is routed through the proxy for masking and access, while the rest proceeds directly to maintain speed and avoid the overhead of full tunneling, thereby efficiently bypassing censorship.

Disadvantages

Split tunneling can result in inconsistent connectivity due to mismatched decisions, where intended for the secure may inadvertently use the local network path or vice versa. This mismatch often leads to DNS resolution failures, as queries may fall back to the physical 's DNS servers after failing on the VPN , causing unreliable name resolution for internal resources. In heterogeneous environments, such inconsistencies can further complicate access to resources, exacerbating connectivity variability across different network conditions. The implementation of split tunneling introduces significant management complexity, as administrators must define precise rules for to prevent misrouting between the tunnel and local paths. This precision requirement often results in substantial overhead, particularly when updating rules to accommodate changing network topologies or user needs. Compatibility challenges arise because not all VPN protocols and client devices support split tunneling uniformly, leading to setup difficulties in diverse environments with mixed operating systems or legacy hardware. For example, certain client systems, such as kiosks without sufficient privileges, may fail to handle split effectively, requiring additional workarounds or exclusions. These issues can prolong deployment times and increase operational friction in multi-vendor or multi-device setups.

Security Considerations

Risks

Split tunneling introduces significant cybersecurity vulnerabilities by routing certain traffic outside the protected VPN tunnel, exposing users and organizations to various threats. Non-tunneled traffic remains unencrypted and traverses public networks or local connections directly, making it susceptible to interception by internet service providers (ISPs), malicious actors, or installed on compromised devices. This can result in the exposure of sensitive , such as credentials or , as attackers may eavesdrop on unsecured connections without the VPN's layer. For instance, on public networks, this direct routing amplifies risks from passive monitoring or active exploits. A primary concern is the bypass of corporate security measures, as split-tunneled traffic evades organizational firewalls, intrusion detection/prevention systems (IDS/IPS), and content filtering tools. Users can thus access potentially malicious websites or services directly via their local connection, introducing or enabling unauthorized without detection by central security infrastructure. This creates blind spots in network visibility, allowing threats like or command-and-control communications to proliferate unchecked. Direct internet paths in split tunneling also heighten susceptibility to and man-in-the-middle (MITM) attacks. Without the VPN's secure DNS resolution or traffic inspection, users are more vulnerable to ISP-level tampering, where domain queries are redirected to fraudulent sites, or to MITM intercepts on untrusted networks that alter data in transit. Phishing attempts become easier, as attackers can impersonate legitimate endpoints without the protective routing enforced by full tunneling. Compliance with data protection regulations poses another critical risk, as split tunneling can lead to unauthorized leakage of sensitive information via unprotected routes, violating standards such as GDPR and HIPAA. For organizations handling personal health data or citizen information, this partial exposure may result in regulatory penalties, as it undermines requirements for and auditability of data flows. A notable example is the TunnelCrack discovered in (disclosed in 2023), which exploits split tunneling configurations in VPN clients to leak traffic outside the tunnel through manipulated routing tables, affecting platforms like , Windows, and macOS, and potentially compromising compliance by revealing unencrypted user data.

Mitigation Strategies

To mitigate the security risks associated with split tunneling, organizations can implement strict enforcement mechanisms that define app-based or domain-based rules, ensuring only authorized bypasses the VPN while integrating endpoint protection platforms for real-time monitoring of split . For instance, (EDR) tools can enforce granular policies by inspecting bypassed for anomalies, such as unauthorized attempts, and blocking malicious activities at the device level. This approach maintains visibility into non-tunneled flows without requiring full tunneling, thereby balancing performance and protection. Hybrid strategies that incorporate zero-trust network access (ZTNA) models further enhance security by providing granular, identity-based controls for resources accessed via split tunnels, verifying users and devices continuously rather than trusting network perimeters. ZTNA solutions, for example, can segment access to specific applications, ensuring that even direct internet-bound traffic adheres to least-privilege principles and preventing lateral movement if a device is compromised. Complementing this, multi-factor authentication (MFA) enforced at VPN entry points adds an additional layer of verification, reducing unauthorized access risks during tunnel establishment. Effective monitoring and auditing involve deploying comprehensive on VPN gateways to capture details of bypassed , such as destination IPs and protocols, enabling detection of policy violations or suspicious patterns. Regular audits of these logs, often integrated with (SIEM) systems, ensure rule accuracy and compliance, allowing organizations to refine split tunneling configurations proactively. This ongoing oversight helps identify misconfigurations that could expose sensitive , maintaining operational integrity without overwhelming network resources. Integrating complementary technologies, such as local firewalls on endpoints and secure DNS protocols like (DoH), protects direct paths by filtering outbound traffic and preventing DNS-based attacks that exploit split routes. Local firewalls can enforce device-level rules to block unauthorized connections from non-tunneled traffic, while DoH encrypts DNS queries to mitigate spoofing or risks on untrusted networks. These layered defenses ensure that split tunneling does not create unprotected vectors, enhancing overall resilience. In environments subject to internet censorship, a specific mitigation involves routing all DNS queries through a remote server via the VPN proxy within a split tunneling setup to counter DNS poisoning and timeouts imposed by ISPs on blocked sites. By directing DNS traffic to a clean DoH resolver, such as Google's 8.8.8.8, over the VPN tunnel, users obtain accurate IP addresses for restricted domains. This enables selective routing of only the traffic destined for those IPs through the VPN for obfuscation and access, while non-restricted traffic proceeds directly for optimal performance, thereby bypassing censorship mechanisms without the overhead of full tunneling.

Variants

Include-Exclude Models

In split tunneling, the include-exclude models represent two primary rule-based approaches for selectively through a VPN versus direct connections. These models rely on predefined policies to determine which network is encrypted and sent via the secure , balancing access needs with resource efficiency. The split-include model, also known as "tunnelspecified" in implementations, routes only explicitly designated traffic through the VPN while directing all other traffic directly to the local gateway. This approach is particularly suited for scenarios requiring minimal corporate network access, such as remote workers needing connectivity to specific internal resources like file servers or applications without encumbering general web browsing. For example, an organization might configure the model to traffic destined for corporate IP ranges (e.g., 192.168.1.0/24) while allowing or streaming services to bypass the . In contrast, the split-exclude model, referred to as "excludespecified" in terminology, tunnels all traffic by default except for explicitly excluded destinations, which are routed directly to the local network. This configuration is ideal for environments prioritizing broad protection, such as excluding high-bandwidth activities like video streaming to specific domains (e.g., netflix.com) while ensuring the majority of traffic, including sensitive data, passes through the VPN for inspection and . An example includes excluding local LAN traffic (e.g., 10.0.0.0/24) to maintain access to printers or nearby devices without VPN overhead. Rule implementation in these models typically uses access control lists (ACLs) or equivalent policies to match traffic based on criteria such as IP subnets, ports, or fully qualified domain names (FQDNs). In configurations supporting IKEv2, an ACL defines the include or exclude criteria; for instance, an extended ACL might permit IP traffic from a client to a corporate server on TCP port 443 for the include model. These rules are applied via group policies, such as split-tunnel-policy tunnelspecified followed by split-tunnel-network-list value acl_name, ensuring compatibility with IKEv2's negotiation for remote access VPNs. GlobalProtect similarly supports include/exclude rules for IP addresses, FQDNs, or access routes in its portal and gateway configurations. The include model offers significant bandwidth conservation by limiting VPN usage to essential traffic, reducing latency and costs for non-corporate activities, but it carries the risk of overlooking unlisted resources, potentially leading to incomplete access or security gaps if policies are not exhaustive. Conversely, the exclude model ensures comprehensive coverage of traffic for security enforcement, minimizing exposure of sensitive data, yet it imposes higher overhead on the VPN infrastructure due to increased data volume, which can strain bandwidth in large-scale deployments.

Inverse Split Tunneling

Inverse split tunneling is a variant of split tunneling that routes all incoming and outgoing network traffic through the VPN tunnel by default, with explicit exclusions for specific IP addresses, domains, or applications to allow direct . This configuration ensures that the vast majority of data flows are encrypted and subject to , while permitting controlled bypasses for performance-critical or low-risk . It is commonly deployed in controlled environments, such as networks, to maintain compliance with standards like NIST SP 800-53, which permits split tunneling only if securely provisioned to prevent unauthorized external connections. Unlike traditional split tunneling, which selectively routes only designated through the VPN to conserve bandwidth, inverse split tunneling reverses this logic by prioritizing over optimization. All enters the tunnel unless explicitly excluded, thereby minimizing exposure to unmonitored paths and reducing opportunities for by ensuring sensitive communications are inspected at the VPN gateway. This approach is particularly effective in high-security settings where full tunneling might impose excessive latency, but partial direct access must be tightly restricted to trusted destinations. In enterprise implementations, such as ' GlobalProtect, inverse split tunneling is achieved via exclude-route options in access route-based configurations, where rules are defined using access control lists (ACLs) to specify excluded traffic like video streaming or VoIP services. For instance, administrators can exclude IP ranges for to optimize performance while tunneling all other traffic for policy enforcement. This setup aligns with include-exclude models by focusing on exclusions as the primary mechanism. A key application of inverse split tunneling is in breach scenarios, where it helps protect against lateral movement by channeling most internal traffic through inspected VPN paths, enabling detection of anomalous communications that might otherwise occur directly between compromised endpoints. By defaulting to the tunnel, it limits attackers' ability to pivot across the network without passing through centralized .

Dynamic Split Tunneling

Dynamic split tunneling represents an adaptive approach to VPN traffic routing, where inclusion or exclusion rules for the tunnel are modified in real-time based on contextual factors such as hostname resolution via DNS, user details, or integrated feeds. This allows the VPN client to dynamically resolve fully qualified domain names (FQDNs) to IP addresses at runtime and adjust routing accordingly, ensuring that traffic to specific services—such as cloud-based applications with frequently changing endpoints—is handled optimally without manual reconfiguration. For instance, domains associated with corporate resources can be automatically included in the tunnel upon resolution, while non-essential traffic bypasses it to maintain performance. Implementation of dynamic split tunneling typically relies on policy attributes and APIs within enterprise VPN platforms, enabling runtime inclusion or exclusion. In solutions like AnyConnect, administrators define custom attributes such as dynamic-split-exclude-domains or dynamic-split-include-domains within group policies on devices like ASA or Firepower Threat Defense (FTD), listing domains in comma-separated format (e.g., office.com,sharepoint.com). The client then performs DNS lookups during the session to populate access control lists (ACLs) dynamically, supporting policies like "tunnel all domains except specified" or vice versa. This mechanism integrates with existing split tunneling frameworks but extends them by processing rules post-authentication, often through management interfaces like Adaptive Security Device Manager (ASDM) or Firepower Management Center (FMC). In practice, dynamic split tunneling enhances responsiveness to evolving network conditions, such as adding routes for newly accessed corporate applications during a session or applying geolocation-based policies to route traffic from high-risk regions through the tunnel for added scrutiny. By leveraging user context—such as role-based group policies—it ensures that, for example, executive users receive stricter tunneling for sensitive domains compared to general staff. This adaptability contrasts with static include-exclude models by allowing ongoing adjustments without session restarts, thereby optimizing bandwidth for remote work scenarios involving SaaS tools like 365. Despite its advantages, dynamic split tunneling introduces challenges that necessitate sophisticated management. It requires advanced orchestration tools, such as centralized policy engines in platforms like FMC, to handle DNS resolution overhead and ensure consistent rule application across clients. Potential issues include rule conflicts, where overlapping dynamic and static exclusions lead to unintended traffic leakage, often stemming from syntax errors in domain lists (e.g., missing commas), which can necessitate policy recreation rather than simple edits. Administrators must also monitor for performance impacts from frequent DNS queries, particularly in high-latency environments.

Full Tunneling

Full tunneling, in contrast to split tunneling which routes only specific traffic through the (VPN) while allowing other traffic to access the directly, directs all network traffic—including internet-bound packets—through the VPN to ensure comprehensive and centralized enforcement. This approach establishes a secure conduit where the VPN server acts as the sole gateway for outgoing and incoming , preventing any direct exposure to public networks and enabling uniform application of such as firewalls and intrusion detection. Compared to split tunneling, full tunneling provides superior by protecting the entire flow from , but it incurs higher latency due to the additional overhead and consumes more bandwidth on the VPN as all traverses the tunnel. It is commonly implemented in high-compliance sectors like and healthcare to support requirements for visibility and auditing of communications, helping to mitigate leakage risks. Common use cases for full tunneling include corporate environments requiring total oversight of employee internet activity, such as monitoring for compliance with data protection standards, and implementations in ecosystems, which default to force tunneling when no specific routes are configured to enforce without user-configurable bypasses. Organizations may transition from split to full tunneling during risk assessments when heightened threats, such as advanced persistent threats or regulatory audits, necessitate stronger controls over traffic visibility and encryption, prioritizing security over performance optimizations. In full tunnel VPN configurations, the ability for employers to record personal banking login credentials, such as usernames and passwords, is highly limited and often effectively prevented in standard enterprise setups. While technical feasibility exists through SSL/TLS decryption enabled by installing a company root certificate on the device, which allows interception and inspection of plaintext data including form submissions, several factors make this unlikely. These include policy-based exclusions for financial services categories to comply with regulations like PCI DSS; certificate pinning implemented on banking sites that detects and blocks intermediary certificates, leading to connection failures; and common configuration practices that prioritize threat detection over inspecting personal financial traffic to avoid legal and ethical risks. Without decryption, only metadata—such as bank domains, timestamps, and data volumes—is visible to the VPN server, not the encrypted content itself. Furthermore, logging individual passwords is not a routine practice in security tools.

IPv6 Dual-Stack Networking

In dual-stack networking environments, where both IPv4 and IPv6 protocols coexist, split tunneling can be configured to selectively route internal IPv6 traffic through a VPN tunnel while directing external IPv4 and IPv6 internet traffic directly to the public network. This approach addresses key transition challenges during IPv6 adoption, such as ensuring secure access to IPv6-enabled corporate resources without compromising the performance of general internet access. Technically, this involves establishing protocol-specific routing policies, where prefixes associated with the corporate network (e.g., a private range like 2001:db8::/32) are directed via the VPN tunnel, while the default routes for IPv4 (/0) and (::/0) external traffic bypass it. Such configurations often leverage VPN client settings to enable split tunneling, allowing dual-stack tunnels that handle both protocols independently and mitigate issues like (NAT) complications, which are less prevalent in native but can arise in mixed environments. For instance, in SSL VPN implementations, administrators can explicitly enable split tunneling to route specific destinations, such as an internal server, through the secure tunnel. The relevance of dual-stack split tunneling has grown since the widespread rollout in the , particularly following the World IPv6 Launch in 2012, which encouraged permanent IPv6 enablement by major providers. In cloud environments like AWS Virtual Private Clouds (VPCs), Client VPN endpoints support IPv6 alongside split tunneling, enabling users to tunnel only VPC-specific IPv6 traffic (e.g., via Transit Gateway attachments with inner IPv6 addresses) while accessing the broader directly, thus optimizing hybrid network connectivity. A key benefit is the ability to provide seamless access to IPv6-only internal resources without requiring all dual-stack traffic to traverse the VPN, which reduces latency for public activities and lowers bandwidth costs in scenarios like or cloud integration. This selective tunneling also enhances security by isolating corporate IPv6 segments while preserving native IPv6 performance for external communications, avoiding the need to disable IPv6 entirely on client devices.

References

  1. https://csrc.nist.gov/glossary/term/split_tunneling
  2. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html
  3. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/vpn-routing
  4. https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel?view=o365-worldwide
  5. https://doi.org/10.6028/NIST.SP.800-53r5
  6. https://www.paloaltonetworks.com/cyberpedia/what-is-a-vpn-tunnel
  7. https://www.auvik.com/franklyit/blog/vpn-split-tunneling/
  8. https://blog.openvpn.net/split-tunneling-for-remote-workforce/
  9. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways
  10. https://surfshark.com/blog/vpn-history
  11. https://www.petenetlive.com/KB/Article/0000997
  12. https://www.networkworld.com/article/721495/security-cisco-has-long-history-with-vpns.html
  13. https://www.techrepublic.com/article/how-remote-work-rose-by-400-in-the-past-decade/
  14. https://redmondmag.com/articles/2020/03/26/microsoft-touts-split-tunneling-vpns.aspx
  15. https://www.cisco.com/c/dam/global/en_uk/products/security/pdf/cisco-emea-report-2020_fa_final.pdf
  16. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/administration/guide/b_AnyConnect_Administrator_Guide_4-6/configure-vpn.html
  17. https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ezvpn5505.html
  18. https://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html
  19. https://askubuntu.com/questions/945978/how-to-disable-routing-all-network-traffic-through-openvpn
  20. https://forums.openvpn.net/viewtopic.php?t=33395
  21. https://forums.openvpn.net/viewtopic.php?t=32477
  22. https://docs.defenseorchestrator.com/#!/c_general-attributes.html
  23. https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html
  24. https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/307303/ssl-vpn-split-tunnel-for-remote-user
  25. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-split-tunnel-feature-for-SSL-VPN-using/ta-p/198108
  26. https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam-ios
  27. https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide
  28. https://tailscale.com/learn/what-is-split-tunneling-secure-critical-data-vpn
  29. https://www.netgear.com/hub/network/security/split-tunneling-in-vpns/
  30. https://nordvpn.com/blog/split-tunnel-vs-full-tunnel-vpn/
  31. https://nordvpn.com/blog/dns-over-https/
  32. https://github.com/Freedom-Guard/FG_MOBILE
  33. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html
  34. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-113.pdf
  35. https://www.blackfog.com/cybersecurity-101/split-tunneling/
  36. https://nordvpn.com/blog/split-tunneling-security-risks/
  37. https://live.paloaltonetworks.com/t5/community-blogs/split-tunneling-what-is-it-and-how-can-it-help-you/ba-p/415603
  38. https://blog.scalefusion.com/what-is-vpn-split-tunneling/
  39. https://intraprisehealth.com/what-you-need-to-know-about-split-tunneling/
  40. https://tunnelcrack.mathyvanhoef.com/details.html
  41. https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
  42. https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
  43. https://www.cloudflare.com/the-net/securing-distributed-enterprise/
  44. https://blogs.cisco.com/security/how-to-monitor-vpn-split-tunneling-and-remote-endpoints-with-existing-infrastructure
  45. https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
  46. https://arxiv.org/abs/2106.02167
  47. https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/vpn/asa-920-vpn-config/vpn-groups.html
  48. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route
  49. https://www.goodaccess.com/blog/what-is-vpn-split-tunneling
  50. https://fractionalciso.com/splitting-hairs-on-split-tunneling/
  51. https://www.fortinet.com/resources/cyberglossary/vpn-split-tunneling
  52. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM3WCAU
  53. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220247-configure-anyconnect-dynamic-split-tunne.html
  54. https://community.cisco.com/t5/security-knowledge-base/dynamic-split-tunneling-in-anyconnect-vpn/ta-p/3773878
  55. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html
  56. https://blog.scalefusion.com/split-tunnel-vs-full-tunnel-vpn/
  57. https://www.microsoft.com/insidetrack/blog/enhancing-vpn-performance-at-microsoft/
  58. https://sase.checkpoint.com/glossary/vpn-split-tunneling
  59. https://learn.microsoft.com/en-us/azure/vpn-gateway/about-site-to-site-tunneling
  60. https://www.paloaltonetworks.com/cyberpedia/how-does-a-vpn-work
  61. https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
  62. https://security.stackexchange.com/questions/16000/ssl-inspection-and-privacy
  63. https://isc.sans.edu/diary/22059
  64. https://live.paloaltonetworks.com/t5/next-generation-firewall/what-is-certificate-pinning-and-how-to-deal-with-ssl-decryption/td-p/571722
  65. https://www.comparitech.com/blog/vpn-privacy/can-my-boss-see-websites-i-visit/
  66. https://www.networkworld.com/article/967956/how-to-prevent-ipv6-vpn-breakout.html
  67. https://docs.fortinet.com/document/fortigate/7.0.0/new-features/766455/dual-stack-ipv4-and-ipv6-support-for-ssl-vpn
  68. https://directaccess.richardhicks.com/2024/01/22/always-on-vpn-and-ipv6/
  69. https://www.internetsociety.org/news/press-releases/2012/world-ipv6-launch-solidifies-global-support-for-new-internet-protocol/
  70. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/ipv6-considerations.html
  71. https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/IPv6-reference-architectures-for-AWS-and-hybrid-networks-ra.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.