Split tunneling is a
computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
ing concept which allows a user to access dissimilar
security domain
A security domain is the determining factor in the classification of an enclave of servers/computers. A network with a different security domain is kept separate from other networks. For example, NIPRNet, SIPRNet, JWICS, and NSANet are all kept s ...
s like a public network (e.g., the Internet) and a
local area network
A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...
or
wide area network
A wide area network (WAN) is a telecommunications network that extends over a large geographic area. Wide area networks are often established with leased telecommunication circuits.
Businesses, as well as schools and government entities, us ...
at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN
network interface controller (NIC), radio NIC,
Wireless LAN
A wireless LAN (WLAN) is a wireless computer network
A wireless network is a computer network that uses wireless data connections between network nodes.
Wireless networking is a method by which homes, telecommunications networks and bus ...
(WLAN) NIC, and
VPN client software application without the benefit of an
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
.
For example, suppose a user utilizes a
remote access VPN software client connecting to a
campus network using a
hotel
A hotel is an establishment that provides paid lodging on a short-term basis. Facilities provided inside a hotel room may range from a modest-quality mattress in a small room to large suites with bigger, higher-quality beds, a dresser, a ref ...
wireless network
A wireless network is a computer network that uses wireless data connections between network nodes.
Wireless networking is a method by which homes, telecommunications networks and business installations avoid the costly process of introducing c ...
. The user with split tunneling enabled is able to connect to
file server
In computing, a file server (or fileserver) is a computer attached to a network that provides a location for shared disk access, i.e. storage of computer files (such as text, image, sound, video) that can be accessed by the workstations that are ab ...
s,
database servers,
mail server
Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
s and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (
website
A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google Search, Google, Facebook, Amaz ...
s,
FTP
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...
sites, etc.), the connection request goes directly out the
gateway provided by the hotel network. However, not every VPN allows split tunneling. Some VPNs with split tunneling include
Private Internet Access (PIA),
ExpressVPN
ExpressVPN is a VPN service offered by the British Virgin Islands-registered company Express Technologies Ltd. The software is marketed as a privacy and security tool that encrypts users' web traffic and masks their IP addresses.
As of September ...
, and
Surfshark
Surfshark is a brand of VPN services offered by a Netherlands-based company of the same name.
The service includes data leak detection, private search, antivirus, and personal data removal tools.
In 2021 Surfshark merged with NordVPN, Nord Secu ...
.
Split tunneling is sometimes categorized based on how it is configured. A split tunnel configured to only tunnel traffic destined to a specific set of destinations is called a ''split-include'' tunnel. When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a ''split-exclude'' tunnel.
Advantages
One advantage of using split tunneling is that it alleviates
bottlenecks and conserves
bandwidth as Internet traffic does not have to pass through the VPN server.
Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks. Split tunneling prevents the user from having to continually connect and disconnect.
Disadvantages
A disadvantage is that when split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or
content filtering
An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Content-control software dete ...
is in place, this is something usually controlled at a gateway level, not the client PC.
ISP
An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
s that implement
DNS hijacking break name resolution of
private address
In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IP ...
es with a split tunnel.
Variants and related technology
Inverse split tunneling
A variant of this split tunneling is called "inverse" split tunneling. By default all
datagram
A datagram is a basic transfer unit associated with a packet-switched network. Datagrams are typically structured in header and payload sections. Datagrams provide a connectionless communication service across a packet-switched network. The del ...
s enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (i.e.: port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
on the endpoint device's network interface driver,
group policy object or
anti-malware agent. This is related in many ways to
network access control
Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security ...
(NAC).
Dynamic split tunneling
A form of split-tunneling that derives the
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es to include/exclude at runtime-based on a list of
hostname rules/policies.
ynamic Split Tunneling(DST)
IPv6 dual-stack networking
Internal
IPv6
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
content can be hosted and presented to sites via a
unique local address range at the VPN level, while external
IPv4
Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version de ...
& IPv6 content can be accessed via site routers.
References
Further reading
*Juniper(r) Networks Secure Access SSL VPN Configuration Guide, By Rob Cameron, Neil R. Wyler, 2011, , P. 241
*Citrix Access Suite 4 Advanced Concepts: The Official Guide, 2/E, By Steve Kaplan, Andy Jones, 2006, , McGraw-Hill Education
*Microsoft Forefront Uag 2010 Administrator's Handbook, By Erez Ben-Ari, Ran Dolev, 2011, , Packt Publishing
*Cisco ASA Configuration By Richard Deal, 2009, page 413, , McGraw-Hill Education
External links
Split Tunneling in Linux
{{VPN
Network architecture
Computer network security
Internet privacy
Virtual private networks