Working from home certainly has its fair share of upsides - when planned and executed correctly. However, the ongoing Coronavirus outbreak has forced many of us to use tools that might complicate our regular workflow. More precisely, many of us are now using VPN (Virtual Private Network) applications. When appropriately executed, VPNs secure internal communications within a company by creating a closed network - which seems more important now than it did ever before. However, this doesn’t mean that you shouldn’t think about improving this setup and optimizing your workflow. Well, split-tunneling is perhaps the best way to fine-tune your VPN connection and make it work for you the way you want it. With this said, let’s talk about split-tunneling and its use within enterprise VPN solutions.
The most important thing you need to know is this - split-tunneling can improve the speed of your Web connection by taking some traffic out of your VPN tunnel. And also, you can protect your privacy by not routing everything through your company's servers. However, plenty of questions need to be answered before you're ready to use this technology. So, by the end of this article, you’ll get to learn about split-tunneling, including the best ways to implement this technology into your daily workflow. And don’t worry, you don’t need to be an IT expert to understand this article - as we’ll do our best to explain everything about split-tunneling in the most straightforward way possible.
IMPORTANT: In this article, we’ll talk about split-tunneling on enterprise VPN solutions. Therefore, this article is for those who work from home by using a VPN supplied by their company (an enterprise solution). In case you use a publicly available (commercial) VPN service and wish to know more about split-tunneling, make sure to use the provided link to learn about this aspect of routing your Web traffic via two different channels.
First Things First - What is Split-Tunneling?
To help you understand what’s split-tunneling, we first need to explain the route of your Web traffic depending on if you use a VPN or not. More precisely, it all comes down to three phases, as described below.
- Phase 1: Before you connect to a VPN server, your ISP (Internet Service Provider) is in charge of your Web traffic. Everything you do online in this phase is visible to anyone else, and this includes your ISP. Differently said, your Web data is out there in the open, without any protection.
- Phase 2: Once you connect to a remote (VPN) server, all your Web traffic starts to flow through the servers of your chosen VPN. All that data is transmitted through a secure tunnel - which means that no one can see what you do online. We’re talking about enterprise VPNs here, which means that in this phase, all your data flows within your company’s internal network (your employers can see what you do online, so keep this in mind).
- Phase 3: After disconnecting from any VPN (and this includes enterprise VPNs), you return to your regular data flow - once again, exposing your Web traffic to your ISP and anyone else online.
As you can see, only the second phase uses a VPN tunnel - a private gateway for your Web data. Well, split-tunneling means that your data is flowing through that VPN tunnel - while also flowing outside of that tunnel. In different words, we have all of the phases mentioned above active at the same time.
Of course, you fine-tune your split-tunneling options. This means that you can decide which applications (or devices) use the VPN tunnel, and which ones use the 'regular' tunnel. We'll talk more about this later on in the article.
Why Do I Need Split-Tunneling?
The big question is - why do you need split-tunneling? What are its upsides and downsides? And in this end, you’ll want to know whether going through this process is worth the trouble. So, let’s answer all those questions.
The Pros of Split-Tunneling
As explained above, by introducing split-tunneling to your enterprise VPN connection, you have two routes for your Web traffic. The most apparent benefit of split-tunneling is the reduction of the overall bandwidth impact - which especially applies to your company’s VPN infrastructure. As such, this is also the reason why the majority of enterprise VPN connections support split-tunneling.
Next, we have another benefit that’s closely related to your privacy. Enterprise-grade VPNs aren’t designed to protect your privacy - they’re designed to secure your company’s network and allows you to exchange data in an encrypted way. The chances are that your company sees everything you do while connected to your company’s VPN infrastructure. After introducing split-tunneling, you have the option to choose which route your Web data takes. However, keep in mind that even if you use a VPN, your ISP can still see some data.
And also, let’s not forget that VPNs can slow down your Web connection, which introduces a set of problems related to latency. Considering that just data needs to travel a more significant distance, you will experience some degradation of your Web connection speed. That’s simply how VPN applications work - and there’s not much you can do while using an enterprise VPNs. By taking out the VPN portion of this equation, you once again return to your regular Web speed. In other words, you’ll get to browse the Web as fast as you can, while still using your VPN connection when working remotely.
The Cons of Split-Tunneling
Enterprise VPNs come with robust cyber-security, as it’s imperative to prevent any unauthorized access. We don’t have to tell you about the importance of avoiding hacking attempts in this case, or about the devastating consequences of those attacks. This is also the reason why we get to hear about hacking groups targeting enterprise VPN servers, which happens quite often actually. Even the most prominent companies out there aren’t safe, as the last year’s Airbus incident has proven.
Considering that your data will travel via two channels (after you introduce split-tunneling to your connection), this means that you’ll get two differently secured Web data routes. Everything going through your enterprise VPN’s tunnel will be protected (based on the cyber-security policies imposed by your company). However, everything going through your "regular" tunnel won’t be protected, and it’s up to you to think about how that affects your workflow.
In other words, split-tunneling can expose parts of your Web connection and some of your personal data. It can make you vulnerable to previously mentioned hacking attacks and can make your data "readable" by anyone else online. With this said, we highly recommend using an anti-virus tool and setting up the firewall on your computer. This is how you can protect all your Web data, no matter which tunnel it uses.
What Types of Split-Tunneling Are There?
These are several different types of split-tunneling. It’s essential to know at least the very basics about each of those, and this will greatly help once you decide to enhance your VPN connection.
- Traditional Split-Tunneling - This is the type of split-tunneling that the majority of you are going to use. Basically, you will create two tunnels for your data. One is for your work-related data, which means that you’ll still get to access remote resources by using your company’s VPN. However, you’ll also get to maintain a standard connection at the same time. This is the simplest type of split-tunneling and this is a possibility on both Windows and macOS - which we’ll explain below.
- Inverse Split-Tunneling - This type implies using your VPN connection as the primary tunnel for your Web data (this means that all your Web data will primarily run through the secure tunnel, whenever possible). Then, you can decide what kinds of information can be routed outside of your VPN connection. The following split-tunneling type is a derivative of this type, as these two are interconnected.
- Device-Based Split-Tunneling - In case you have a DD-WRT router or perhaps a capable VPN router, you can decide which devices are covered by your VPN connection. For example, this is how you can protect your computer and smartphone while leaving your gaming console to use your regular VPN connection. As said earlier, this is best configured via routers, and we recommend it to more advanced VPN users only.
- Destination-Based (IP) Split-Tunneling - And finally, we have a type split-tunneling that routes your data based on its destination. For example, you can decide to use a VPN connection for everything except Netflix. However, this type of split-tunneling is incredibly hard to set up as you need a compatible router, and websites such as Netflix have many different IPs. This complicated the situation overall, as getting this type of split-tunneling to work can be very frustrating.
How to Set-Up Split Tunneling on Enterprise VPNs?
Before resorting to manual configuration, we recommend checking your VPN’s interface carefully. Many enterprise VPNs allow split-tunneling to be configured through its interface. If you can’t find this option, feel free to contact your company’s IT department.
If this can’t be done via your VPN’s interface, you’ll need to enable split-tunneling manually (on your computer). There are certain limitations here based on the operating system you use, which we’ll explain below.
How to Enable Split-Tunneling on Windows?
We have to note that split-tunneling on Windows is quite restricted - if you decide to use your operating system and not your VPN’s interface. The most important thing to keep in mind is that this method works on VPN connections based on L2TP, SSTP, or PPTP.
The following procedure will allow you to use a local connection to access the Internet. In other words, you’ll use your VPN connection only to access remote resources, such as a remote server that’s accessible only via a VPN. Also, we’ll assume that you already have a VPN connection active and alive in the background, so let’s get started.
- Launch the Start Menu, and type in 'PowerShell.' You’ll see it among the search results, so go ahead and right-click on it. Then, select 'Run as Administrator.'
- Your OS’ PowerShell should appear now, with a prominent blue background. Type in 'GET-VPNConnection' and press Enter. This will list all your connections currently present. Make sure to remember the name of your VPN connection, as you’ll need it soon enough.
- Now, check out the following command: Set-VPNConnection -Name "<VPN NAME>" -SplitTunneling $True. Use this command, but remember to replace <VPN NAME> with the name of your VPN connection (as mentioned in the previous step). Enter the command and then press the Enter key once again.
- You can check if you’re doing alright so far by using the "Get-VPNConnection" command again. This will list all your VPN connections and their preferences. Look for 'Split Tunneling,' and it should say 'True' on the right-hand side.
- If you want to add a route for any VPN subnets, use the command "ipconfig/all" and hit Enter. Keep in mind that you need to be connected to the VPN at this point. You’ll see a list of interfaces, and you need to look at the "Description" field.
- Finally, input the following command by replacing the information between the <> markings: netsh interface ipv4 add route <destination subnet> "<interface name>". Once again, the interface name in this field should correspond to the previously mentioned "Description" field.
- To delete individual routes, go with netsh interface ipv4 delete route <destination subnet> "<interface name>". And if you want to disable split tunneling on your connection, go with the following command: Set-VPNConnection -Name "<VPN NAME>" -SplitTunneling $False.
How to Enable Split-Tunneling on macOS?
When it comes to macOS, split-tunneling works with L2TP and PPTP connections, and you can also alter the destination subnet of your VPN’s private space. And in contrast to Windows, split-tunneling on macOS is done in a much easier way.
- Go to System Preferences > Network. In the left-placed sidebar, make sure to click on your enterprise VPN connection.
- On the right side, go to Advanced Settings > Options. Then, uncheck the box for 'Send all traffic over VPN connection'. Once you uncheck the box, you will enable split-tunneling on your macOS computer.
- Then, proceed to connect to your VPN. Then, go to Application > Utilities > Terminal. Alternatively, you can click on CMD + SPACE to type in 'Terminal' to open the application. As you’ll soon see, this is a command-line interface.
- Type in "ipconfig" and hit Enter. This will show a list of your Web connections, so you need to identify the name/interface used by your VPN. In case you’re using L2TP (which happens in the majority of cases, this will probably be "ppp0."
- Now log-in as root. Type in "sudo su" and then authenticate the procedure by using your macOS password.
- Finally, enter the following command: route add -net <DESTINATION SUBNET> -interface <VPN INTERFACE>. In this case, you pick a subnet that you want to route through your VPN, and when it comes to the ‘VPN Interface' field, we talked about this in one of the previous steps (it’s going to be “ppp0” in the majority of cases).
It would be an understatement to say that split-tunneling can be confusing, especially when it comes to inexperienced users. With this said, we’ll answer some of the most commonly asked questions, and try to simplify this topic.
Is Split-Tunneling Secure?
Split-tunneling allows your Web data to flow through two separate channels. One of those is protected by your VPN, while the other one is exposed. Therefore, a portion of your Web data will remain visible online, which might be a security risk.
To prevent any unwanted consequences of split-tunneling, we recommend using an anti-virus tool and setting up a firewall on your computer. Also, don’t join any open Wi-Fi networks and use common sense when browsing the Web (avoid potentially dangerous websites, don’t download P2P files, and similar).
What’s the Difference Between Full- and Split-Tunneling?
Split-tunneling introduces two completely separate channels for your data - one that is open to the Web and the other that’s used by your VPN only. Full-tunneling means that all your traffic is either going through your company’s VPN infrastructure or it’s completely open to the Web (it’s going through your ISP’s infrastructure).
Is Split-Tunneling Difficult to Set-Up?
We won’t hide the fact that split-tunneling isn’t the easiest thing to achieve. This is why we strongly recommend you to check whether your enterprise VPN offers split-tunneling as a built-in feature. If you can’t fine-tune this option via your VPN’s UI, this means that you’ll need to resort to your operating system to enable and fine-tune split-tunneling.
Alternatively, this can be also achieved via compatible routers. However, this is a highly technical solution with variable results, and we recommend using it as the final measure.
Do Commercial VPNs Offer Split-Tunneling as Well?
Dear visitors, this is where we conclude our guide on split-tunneling. In case you have any questions or any advice for us, make sure to post a comment below. We’ll do our best to respond promptly.