This article helps you set up an OpenVPN split tunnel on your device and get the most of your VPN experience by selecting the data that goes through the VPN tunnel.
I briefly explain what VPN split tunneling is, why you may need it, and how to set up an OpenVPN split tunnel.
OpenVPN split tunnel [Summary]
Depending on the type of OpenVPN VPN server you want to connect to (OpenVPN Access Server or OpenVPN Community Edition server), you have the following options:
- Connect to an OpenVPN Access Server:
- Set up the split tunnel from the OpenVPN Access Server admin interface.
- Connect to an OpenVPN Community Edition server:
- Option 1: Modify the OpenVPN config file.
- Option 2: Use a VPN client app with split tunneling on OpenVPN.
What is VPN split tunneling, and why you may need it with OpenVPN?
VPN split tunneling is an advanced but useful feature provided by several VPN apps/VPN software and technologies. It controls the VPN traffic; more precisely, it directs some of the traffic through the VPN’s encrypted tunnel and some traffic to the standard, unencrypted channel through the ISP to the Internet.
It is a very convenient way to use a VPN for specific activities (e.g., unblock streaming channels or download torrents securely) and let other apps access local resources with your regular IP address.
A well set up VPN split tunnel provides a perfectly balanced approach for better security and great speed while using VPN only for specific apps or websites.
OpenVPN is (probably) the most commonly used protocol by the VPN services available on the market, even though WireGuard looks like a serious challenger. Thus, it is useful to know and understand how you can set up split tunneling on OpenVPN.
Solutions for setting up an OpenVPN split tunnel
You may connect to two types of servers with the OpenVPN protocol: the OpenVPN Access Server (the commercial one) and the OpenVPN Community Edition server (the free server used by most of the VPN providers). And, of course, the approaches to implementing the split tunnel depend on the type of server.
Split tunneling with the OpenVPN Access Server
OpenVPN Access Server is the commercial version of the OpenVPN server, designed and optimized for businesses.
If you are using the OpenVPN Access Server, then you may set up a split tunnel easily from the administration dashboard:
- Log in to the Admin Web UI.
- Navigate to Configuration > VPN Settings > Routing.
- Turn Should client Internet traffic be routed through the VPN? to No. From now on, the traffic intended for your private networks will cross the VPN. Other traffic will bypass the VPN.
- Additionally, you may specify subnets in the input field: Specify the private subnets to which all clients should be given access (one per line).
For more details regarding split tunneling on the OpenVPN Access Server, take a look here.
OpenVPN manual modifying config files
When you connect to an OpenVPN Community Edition server and access the OpenVPN config files, you may modify them and implement the split tunnel as you please. This is the case when you set up your own OpenVPN server or when you are subscribed to a VPN service that allows you to download the config files and use the OpenVPN client app to connect (e.g., NordVPN or OVPN).
To instruct OpenVPN use the VPN tunnel only for specific websites, here is what you have to do:
- First, find the IP of the site you want to access via VPN. You may use the
nslookupcommand or load an IP locator website (e.g., XMyIP.com), enter the URL of the website and get the IP address.
- Open and edit the OpenVPN conf file (.ovpn). Any text editor will do.
- Add the following commands:
route [IP address of the website] 255.255.255.255
- Save changes and restart the OpenVPN connection.
- To remove the split tunnel, delete the two rows, and restart the OpenVPN connection.
The result is that only the traffic to the selected website(s) will use the OpenVPN encrypted tunnel, and the rest of the traffic will remain unencrypted.
You may need to additionally configure VPN DNS Servers to stop DNS leaks, as described here, at step 6.
This works on operating systems like Windows, macOS, or Linux (Fedora, CentOS, Ubuntu, etc.), and even on routers (here it is how to set up a VPN on a router).
VPN apps with split tunneling on OpenVPN
Several VPN apps that use the OpenVPN protocol can also split the data traffic depending on the user’s needs. The setup is usually quite simple, and it consists of selecting the apps that you want to use the VPN tunnel (or, reversely, the apps that you don’t want to use the encrypted Internet connection) and turning the split option on.
Great VPNs that offer OpenVPN split tunneling are Hide.me, ExpressVPN, PrivateInternetAccess, NordVPN (on Windows and Android), and Surfshark (on Windows and Android).
For example, for enabling the OpenVPN split tunnel on Hide.me apps you have to:
- Open the Hide.me app (in this case, the macOS app).
- Make sure you use the OpenVPN protocol: Menu > VPN Protocol > OpenVPN.
- Next, open the Split Tunnel tab from the left menu.
- Select one of the two options:
- Do not allow selected apps to use the VPN (inverse split tunneling)
- Only allow selected apps to use the VPN
- The split tunnel will be turned on once the VPN connection is initialized.
How to test the OpenVPN split tunnel
My recommendation is to test your split-tunnel setup, no matter the solution you have chosen. For example, do not assume that a split-tunneling feature exposed by a VPN app works just because the feature is available. Many factors may influence the proper functioning of the app. For example, some users have reported that the ExpressVPN app does not properly establish a VPN split tunnel on Mac.
It would be best if you did not assume that your split-tunnel works perfectly as soon as you have finalized the setup. Many aspects may not go as planned.
My recommendation is to do the followings:
- With no VPN enabled, load, for example, xmyip.com (IP: 220.127.116.11). Notice your public IP address.
- Set the VPN split for xmyip (either within the OpenVPN config file, or by adding your favorite browser to the split tunnel list, as explained above).
- Enable the VPN connection.
- Re-load xmyip. Observe that your public IP address is no longer shown and the IP of the VPN server replaced it.
- If the test was successful, you may proceed with the website or websites you want to access through the VPN.
OpenVPN split tunnel FAQs
What is the difference between a full tunnel and a split tunnel?
The full tunnel encrypts all data traffic between the VPN client (from your device) and the VPN server. The split tunnel routes to the VPN only specific requests from selected apps or to certain destinations.
How do I know if my VPN is split tunneling?
You may use the traceroute command to show the path requests take to the destination. When VPN is enabled, data travels through the VPN server. With split tunneling, the traceroute will not show the IP address of the VPN server. Additionally, you may use an IP locator website as described above.
How do you stop split tunneling?
Depending on the implementation solution you have chosen, you may either remove the commands from the OpenVPN config file or select to use the VPN for all apps from the VPN client settings.
OpenVPN is probably the most used VPN protocol and a prevalent option for all VPN usage scenarios. VPN split tunneling, which brings significant benefits, can be easily set up with OpenVPN either by adding commands in the config files or by enabling the option from the VPN apps’ settings.
This is the end of our tutorial on how to get set up VPN split tunneling on OpenVPN. Subscribe to our newsletter to get notified when we publish new articles. Additionally, you will make a Transylvanian baby-bat 🦇happy.
How about the inverse. I want traffic to a specific ip to go around the vpn and direct to the internet? That is do not encrypt traffic to our from prime video?
How to connect
Tell me more about open vpn