TL;DR: App filtering (split tunneling) lets you route some apps through the VPN tunnel while others connect directly. It speeds up everyday tasks, keeps home-network devices (printers, NAS, smart home) reachable, and fixes banking apps that block "foreign" IPs. It works at the operating-system level via the routing table, with full per-app support on Android and address/domain-based splitting on iOS. The trade-off: anything outside the tunnel is unencrypted and visible to your ISP, so always keep sensitive traffic inside the VPN.
What App Filtering Is and Why You Need It
When you switch on a regular VPN, every bit of your device's traffic enters a single encrypted tunnel: browser, messenger, banking app, and background updates alike. That's secure, but not always convenient. Speed drops for every program at once, local services stop responding, and some apps simply refuse to work through a "foreign" address. App filtering — the technical name is split tunneling — is a way to split your traffic into two streams and decide, per app, whether it goes through the VPN or directly.
The whole point of a VPN is to hide your traffic and swap your IP address; if you're new to the basics, start with what a VPN is in plain English. App filtering builds on that foundation and turns a VPN from a blunt switch into a precise instrument where you control each program separately.
It helps to separate two concepts. A "full tunnel" is the default on most VPNs: all traffic enters the encrypted channel. A "split tunnel" is the mode where some traffic is deliberately let out. There's no "half-baked" encryption in between: every packet is either fully encrypted and goes through the server, or fully open and goes directly. That's fundamentally safer than the habit of "let me just disable the VPN so my bank lets me in" — split tunneling keeps protection where you need it and removes it only from what you chose, not from all your traffic at once.
Why Split Your Traffic: Four Reasons
Speed and Bandwidth Savings
When all traffic flows through one tunnel, a video call, a cloud upload, app updates, and a game download all compete for the same lane. With filtering, you route only what truly needs protection through the VPN and give heavy-but-harmless traffic a direct path. The slowdown comes from two sources: encrypting each packet takes computation (noticeable across gigabytes), and your traffic goes to the VPN server first rather than straight to the site — if the server is far, you add latency and lose some bandwidth. For an encrypted banking request that's invisible; for a tens-of-gigabytes backup it's very real, and that's exactly the kind of traffic worth sending directly. More on why a tunnel slows things down in why a VPN slows your internet and how to fix it.
Access to Local Devices
A printer, a NAS, cameras, and smart-home hubs are only reachable over a direct connection inside your home network. Technically they live in your network's private address range (for example, 192.168.x.x), while a full tunnel redirects all routes to the VPN server — so a request to the printer next to you also heads "into the cloud." Split tunneling solves this: your smart-home or printing app works directly over the LAN while your browser and email stay protected. Some VPNs can automatically exclude the local subnet (an option like "allow local-network access"), which is the simplest special case of split tunneling.
Banking and Government Apps
This is the most common practical reason. You're abroad, connected to a VPN server in another country, but your bank blocks logins from a foreign IP. A bank's anti-fraud system builds a model of "normal" customer behavior, and a sudden login from another country is a classic sign of account takeover, so it plays it safe. That's not a "bad VPN" — it's exactly the protection you trust the bank with your money for. With filtering, you exclude the banking app from the tunnel (or route it through a dedicated server in your home country) so it sees a "home" address, while the rest of your traffic stays as configured. More in secure online banking.
Gaming, Torrents, and Latency-Sensitive Traffic
Online games are sensitive to ping: the extra detour to a VPN server adds latency. Often it's better to send the game directly and keep your browser and messengers under the VPN. With a torrent client it's the reverse: route it through the tunnel for anonymity and send everything else directly. One caveat: "route the game directly for ping" doesn't always help — sometimes a VPN lowers ping, when your ISP routes or throttles traffic poorly and the path through the VPN is shorter. It's a hypothesis worth testing by measuring latency in both modes. The remote-work scenario is a major reason of its own: work apps into the corporate tunnel, personal traffic directly. More in VPN for gaming and VPN for remote work.
How It Works Under the Hood
Split tunneling is implemented at the operating-system level, not inside an individual app. The VPN client creates a virtual network interface and edits the routing table — the set of rules that decides which network adapter each packet is sent to. For apps on the "VPN list," the route leads into the encrypted tunnel; for everything else, into the regular interface. The app itself doesn't know and works as usual.
Filtering is almost independent of the VPN protocol. WireGuard, OpenVPN, or IKEv2 define how traffic is encrypted inside the tunnel, while split tunneling sits a layer above, on the routing side. So a modern fast protocol like WireGuard and split tunneling pair perfectly: the former handles speed and cipher strength, the latter decides which traffic gets into that cipher. One subtle point is DNS: the query "what's the IP of this domain" is a separate step and can slip outside the tunnel with a sloppy implementation. A good VPN routes the DNS queries of tunneled apps through its own secure resolver, which is exactly why a leak test after configuring split tunneling is especially important.
There are two filtering modes:
- Allowlist (inclusive mode) — only the apps you select use the VPN, everything else goes directly. Default is unsafe; handy when you only need to protect a few things.
- Blocklist (exclusive mode) — everything uses the VPN except the apps you explicitly exclude. Default is safe; handy when you want to protect almost everything and pull just one or two apps, like a bank, out.
For privacy, the blocklist is almost always the right call: the default is safe (everything tunneled) and you make selective exceptions.
How Split Tunneling Differs from a Full VPN
| Property | Full VPN (all traffic) | Split tunneling |
|---|---|---|
| Traffic encryption | All traffic encrypted | Only tunneled traffic; direct is open |
| Everyday-task speed | Lower: all goes via the server | Higher: heavy traffic goes directly |
| Local-network access | Often lost | Preserved for direct apps |
| Bank with "home" IP | May be blocked | Exclude the bank — login works |
| IP/DNS leak risk | Minimal | Direct apps reveal your real IP |
| Setup complexity | Turn it on and go | You must decide what goes where |
Split tunneling trades part of your protection for speed and compatibility. The trade is worth it when you clearly understand which traffic is non-critical. When in doubt, leave the app in the tunnel.
Platform-by-Platform Setup
The mechanics differ noticeably from device to device. The general principle is the same — the operating system decides which adapter gets the traffic — but the degree of control varies.
Android
The most filtering-friendly platform. The system has a built-in per-app VPN mechanism: the VPN app gets a list of every installed program and can enable or disable the tunnel for each. So on Android you can build a truly "per-app" scenario: bank and game outside, browser and email inside. No fiddling with IP addresses — it's all at the level of readable app names. This is also where a blocklist is most convenient.
iOS and iPadOS
On iPhone and iPad the system is stricter. The classic "this app through the VPN, that one not" choice isn't generally available: Apple doesn't give apps that level of control over other apps' traffic. What you do get is splitting by addresses and domains — you can describe which hosts go into the tunnel and which go directly. For most everyday needs that's enough; it's just configured by address rules rather than an app list. We covered the basic setup in how to set up a VPN on iPhone.
Desktop (Windows, macOS, Linux)
On computers, flexibility is highest: you can split by app and by IP-address and domain ranges. That's handy for work scenarios — corporate resources through the VPN, everything else direct, or the reverse. Desktop also makes it easier to verify the result, since system utilities show the routing table. The general takeaway: if per-app selection matters, Android is the gold standard; on iOS, think in addresses and domains; on desktop, both are available.
Risks and Limitations
The convenience of filtering comes at a cost. The main rule: anything you take out of the tunnel goes over the open network — your ISP can see which services you reach, and on public Wi-Fi that traffic can be intercepted. So in untrusted networks your exclusion list should be minimal.
- Real IP exposure. An app that goes directly shows websites your true address and location. If your goal is to hide your IP, you can't exclude that app; for how IP-hiding works, see how to hide your IP address.
- DNS leaks. DNS queries from direct apps may bypass the secure resolver and reveal which sites you open. Check with the steps in how to test for and fix a DNS leak.
- Human error. It's easy to leave an app in the exclusions out of habit when it was exactly the one you needed to protect. Review your lists periodically.
- False sense of security. "My VPN is on" — but that particular app goes around it. Only the traffic actually inside the tunnel is protected.
When You Should NOT Enable Filtering
Split tunneling isn't a feature to turn on "just because it's there." In several situations a split tunnel brings more risk than benefit:
- You're on public or unfamiliar Wi-Fi. Any direct traffic is vulnerable to interception and rogue access points may be nearby — keep the full tunnel. Details in public Wi-Fi security.
- Anonymity is your main goal. If you want no service to see your real IP, any direct app reveals your address and creates a hole.
- You're unsure which of an app's traffic is "heavy." Many programs hit the network in the background unpredictably; if you don't understand the behavior, leave it in the tunnel.
- The device is shared or a child's. When settings can be used by someone who doesn't understand them, a simple "everything through the VPN" is more reliable.
- You're bypassing blocks. The target service needs to see the VPN server's address; an app accidentally left on direct access will undo your effort. More in how to unblock websites.
The rule is simple: split tunneling is an optimization tool, not a security one. It saves speed and fixes compatibility, but it never strengthens protection compared to a full tunnel. Enable it deliberately and only where the convenience gain is obvious and losing part of the encryption isn't critical. The most expensive mistake is excluding the browser "for speed" — it carries your most sensitive traffic.
Checklist: How to Set Up Filtering Correctly
Run through it when you first set up split tunneling — it will save you from the typical mistakes.
- Decide your default policy: for privacy it's safer to keep "everything through the VPN" and add exceptions selectively (blocklist).
- Put only non-critical traffic into exclusions: games for ping, heavy downloads for speed, local apps for home-network access.
- Either exclude your banking app (so it sees your home IP) or route it through a server in your home country — but never leave it in a "foreign" tunnel without reason.
- Never exclude apps where hiding your real IP matters: a privacy browser, a torrent client.
- After setup, test for DNS and IP leaks to confirm that direct apps aren't revealing too much.
- On public and unfamiliar Wi-Fi, temporarily disable exclusions and push all traffic through the tunnel.
- Review your lists periodically: your set of apps and your needs change over time.
- Keep the kill switch on so that if the tunnel drops, protected traffic doesn't "spill" onto the open network.
Ready-Made Profiles for the Job
Three typical profiles as starting points you can tune to yourself. The common principle across all three: traffic is in the tunnel by default, and exclusions are targeted and deliberate.
- Travel. General mode is a full tunnel through a convenient server; banking and payment apps are excluded or routed through a server in your home country; video streaming goes through a server in the country where the content is available. Don't leave exclusions on in a hotel's public Wi-Fi — open your bank over mobile data.
- Work. Corporate apps into the tunnel (often a separate corporate one); personal traffic — streaming, social media, cloud backups — directly, so you don't load the work channel or expose personal traffic to your employer.
- Home. A full tunnel for privacy from your ISP, plus an explicit allowance for the local network or an exclusion for smart-home, printing, and media-server apps. Your browser and email stay protected while your printer and NAS remain at hand.
Conclusion
App filtering turns a VPN from an on/off switch into a flexible instrument where each app gets its own optimal route. It speeds up everyday tasks, restores access to home devices, and removes the conflict with location-sensitive banking services. But for that flexibility you pay with part of your protection, so the golden rule is to keep traffic in the VPN by default, push out only the clearly non-critical, and temporarily disable exclusions on untrusted networks. The priority order: security first (critical traffic always in the tunnel), then compatibility (the bank and local devices through exclusions so they work at all), and only last, speed.
If you want to try split tunneling on your phone without complex setup, LiMP makes it a two-minute job: a list of apps, a mode for each, instant apply with no reconnect. The service runs on iOS and Android, costs about a dollar a month, and stores no logs of your activity. See the terms on the pricing page. If you're still choosing a service, check it against the criteria in how to choose a VPN in 2026.
Frequently Asked Questions
What is VPN app filtering in plain English?
It's a feature that lets you decide, per app, whether its traffic goes through the VPN tunnel or directly to the internet. The technical name is split tunneling. That way some programs stay encrypted with a hidden IP, while others use the normal connection for speed or access to your local network.
What's the difference between an allowlist and a blocklist?
With an allowlist, only selected apps use the VPN and the rest go directly (default is unsafe). With a blocklist, everything uses the VPN except explicitly excluded apps (default is safe). For privacy the blocklist is usually the right call: you protect all traffic and make selective exceptions.
Does app filtering work on iPhone?
On iOS the classic 'this app through the VPN, that one not' choice is limited by the system architecture. More often you can split by addresses and domains rather than by specific apps. Android has a full system-level per-app VPN where apps are selected directly. The idea is the same; the granularity differs.
Why doesn't my banking app work through a VPN?
The bank sees a login from a 'foreign' IP and treats it as suspicious, so it blocks you or asks for extra verification. The fix is to exclude the banking app from the tunnel (so it sees your home IP) or route it through a VPN server in your home country. Don't switch servers during a banking session — that also looks suspicious.
Does app filtering depend on the VPN protocol?
Almost not. The protocol (WireGuard, OpenVPN, IKEv2) defines how traffic is encrypted inside the tunnel, while split tunneling works a layer above, on the operating system's routing. So a modern fast protocol and split tunneling pair well: one handles speed and cipher strength, the other decides which traffic gets into that cipher.
Can I route one app through one server and another through a different server?
In most clients, split tunneling only decides whether an app goes through the tunnel or directly, not through which server. Routing different apps via different servers at once is rarely supported; usually you switch the shared server or use separate profiles for that. Check the capability in your specific VPN's settings.
