How to set up VPN split tunneling on Mac – 3 options explained

How to set up VPN split tunneling on Mac – 3 options explained

This short tutorial explains how to set up and use VPN split tunneling on Mac. It also explains why to use split tunneling on macOS, presents the available options, and lists VPN client apps that offer access to this feature.

How to set up split tunneling on macOS [Summary]

Setting up VPN split tunneling on Mac may be either very simple (if you install an app capable of turning split tunneling on and off), or a little bit complicated as it requires some command-line skills, and patience.

As your goal is to set up an advanced VPN connection on macOS (Mac OS X), I suggest that you first read our article on how to install a VPN on Mac. `You will learn what the available VPN options on macOS are.

Why use split tunneling on Mac?

Simply put, split tunneling allows you to control VPN traffic. Thus, you may let specific applications connect to the Internet using the VPN tunnel while allowing other apps to directly access the Internet.

Split tunneling is very convenient on Apple Mac (as well as on other operating systems, Windows, Android, Linux, iOS) for unblocking streaming channels or downloading torrents securely. You may obtain the perfect balance between security/privacy/anonymity and speed, and use VPN only for precise apps or websites.

If you are interested solely in unblocking geo-restricted websites, an alternative to split tunneling is to set up Smart DNS on your Mac.

How to set up VPN split tunneling on Mac

Depending on the way you installed the VPN on your Mac you have the following options.

Option 1: Use VPN software that implements split tunneling

Several (not many) VPN services implement VPN split tunneling in their apps. Thus, if you subscribe to such a service, the only thing that you have to do is to establish the rules (which apps use the VPN and which are not) and turn the VPN on.

Split tunneling on Mac with ExpressVPN, PIA, or Hide.me

We have identified several VPN providers that offer split tunneling within their macOS apps (tested on macOS Catalina, not yet on Big Sur): ExpressVPN, PrivateInternetAccess (thank you, Jorge), and Hide.me.

The user interfaces of the ExpressVPN and Hide.me apps are similar and allows you to choose between three types of behavior: (1) use the VPN tunnel for all apps, (2) exclude apps from using the VPN, and (3) choose apps that will use the VPN exclusively.

The PrivateInternetAccess app is somehow similar with the difference that you need to define a rule for every selected app.

Important: If you use Safari as your day-to-day browser, you may want to avoid ExpressVPN. There is no way to add/remove Safari to the split tunneling rules in the ExpressVPN Mac app.

To set up split tunneling using ExpressVPN, you need to:

  1. Install the ExpressVPN macOS app.
  2. Next, open the settings menu and click on Preferences.ExpressVPN menu - set up split tunneling on Mac
  3. In the General tab, check the Split tunneling option. ExpressVPN preferences - How to set up split tunneling on Mac
  4. Click on the Settings button.
  5. Choose the split type:
    ExpressVPN split type - How to set up split tunneling on macOS
    • All apps use the VPN.
    • Do not allow selected apps to use the VPN – inverse split tunneling.
    • Only allow selected apps to use the VPN.
  6. If you choose Do not allow selected apps to use the VPN or Only allow selected apps to use the VPN, select the apps (e.g., Chrome, Safari, a torrent client app).
  7. Test the split tunnel VPN:
    • If you have selected Safari with Only allow selected apps to use the VPN, turn ON ExpressVPN, open Safari, and load an IP locator website. You should see the IP address of the VPN server.
    • If you have selected Safari with Do not allow selected apps to use the VPN, turn ON ExpressVPN, open Safari, and load an IP locator website. You should see your public IP address. If you open another browser, you should see the VPN server’s IP address you are connected to.

Important! You need to turn ON the ExpressVPN app to activate the split tunneling.

Split tunneling on Mac with Shimo

Shimo is a VPN client application for Mac that can be easily set up for split tunneling. Shimo supports various VPN protocols: OpenVPN, IPSec, PPTP (not on macOS Catalina and later), SSL, AnyConnect, SSH.

To use Shimo you need to have access to a VPN server (from a VPN provider, from a network administrator, or set up by you). After setting up the VPN connection you may proceed with splitting the tunnel:

  1. Click on the Shimo icon from the menu bar.
  2. Click Preferences…
  3. Choose the VPN connection to configure and double click on it.Shimo accounts - How to set up split tunneling on Mac
  4. Go to the Advanced tab.
  5. Disable Send all traffic over VPN.
  6. Add route(s) to Network Traffic Control by clicking the + button. The Target network is the IP address of the remote network that you want to access (e.g. 67.227.194.148). You may define it also as a network range, by appending /XX (e.g., 67.227.194.0/24).
  7. Select VPN as the Gateway.
  8. Set mode to Overwrite (do not use transmitted routes from VPN gateway).Shimo setup - Split tunneling on Mac
  9. Click Save.

Option 2: Use the command line to define split tunneling rules

For manually created VPN connections with the L2TP protocol (L2TP over IPSec), you may set up a manual split tunneling mechanism to direct the Internet traffic to a certain target (IP) through the VPN.

This is useful when you want to use the VPN tunnel only for loading a particular website or a specific web resource. You will need the IP address (or IP range) of the target/destination website. A simple way to find it is to use the nslookup command or to load a site like this one and enter the domain name or URL.

For the next steps, you will need superuser administrative privileges, an existing L2TP connection, and the destination subnet (target IP address):

  1. Go to System Preferences > Network.
  2. In the left panel, click on the VPN connection and click on the Advanced button.
    Manually set up split tunneling - Network window
  3. Next, click on the Options tab.
  4. Disable the Send all traffic over VPN connection option.Manually set up split tunneling - Send all traffic over VPN connection
  5. Click OK and, next, Apply.
  6. Connect to the VPN.
  7. Once connected, open the Terminal app (Launchpad > type Terminal).
  8. Type ifconfig and hit Enter. Identify the network interface used by the L2TP connection (most probably it is ppp0).
  9. Log in as root to be able to run the necessary command. Type sudo su into the terminal and authenticate with your Mac password.
  10. Enter the following command, replacing [DESTINATION] with the subnet you want to be routed through the VPN, and [VPN INTERFACE] with the interface listed in the previous step (probably ppp0).

    route add -net [DESTINATION] -interface [VPN INTERFACE]

    You may add the “-p” if you want your route to remain active after reboot (persistent).
  11. Load the desired website. It is now accessed through the VPN tunnel.
  12. To remove the split tunneling rule, turn off the VPN, and type the following command:route delete [DESTINATION]

To better understand how this works, you may first test with a IP locator website:

  1. Load, for example, xmyip.com. Notice your IP address.
  2. Find the IP address of the server where xmyip is located. It is 67.227.194.148.
  3. Turn on the VPN and follow the steps described above.
  4. Enter the following command:
    route add -net 67.227.194.148 -interface ppp0
  5. Re-load xmyip. You should notice that your IP address is no longer shown. It is replaced by the IP of the VPN server.
  6. Don’t forget to remove the route after the test:
    route delete 67.227.194.148
Split tunneling manual setup - Command line example.

If you prefer you may use a script that allows you to easily manage one or more VPN connections with split tunneling.

Option 3: Modify an OpenVPN configuration file

You may use OpenVPN on Mac and modify the config files to split the traffic data. More precisely you may instruct OpenVPN to use the VPN tunnel only for specific websites:

  1. Find the IP of the website you want to access via VPN (either use a website for this or the nslookup command).
  2. Edit the OpenVPN (or Tunnelblick) config file.
  3. Add the following commands:
    route-nopull
    route [IP address of the website] 255.255.255.255
  4. Save changes.
  5. Restart the OpenVPN connection.
  6. To remove the split tunnel, delete the two rows, and restart the OpenVPN connection.

How to test split tunneling on Mac

It is always advisable to test your split tunneling setup. My recommendation is to firstly use a IP locator website, set the split, load the IP locator website, and check the IP address:

  1. With no VPN connection, load, for example, xmyip.com (IP: 67.227.194.148). Notice your public IP address.
  2. Set the VPN split for xmyip.
  3. Re-load xmyip. Observe that your IP address is no longer shown and it was replaced by the IP of the VPN server.
  4. If the test was successful, you may proceed with the website or websites you want to access through the VPN.

Summary

You have learned how to set up split tunneling on Mac and get your VPN internet connection to the next level of efficiency. However, make sure you know the current setup; otherwise, you may leak your IP address.

Would you like to be notified when we publish new Mac VPN tips? Subscribe to our newsletter! It will make a Transylvanian baby-bat 🦇happy.

About the Author

  1. Thanks for this . One thing: -p doesn’t work. Any other tips? Only other info I can find is to add static routes via the networksetup command but it appears that you have to specify a default gateway IP address. I can just see ppp0!

    1. You can create a script named /etc/ppp/ip-up that will run whenever the VPN is connected. The $1 is the name of the VPN interface (typically ppp0), which is passed as an argument by MacOS when the script is triggered.

      #!/bin/bash
      /sbin/route add -net [destination] -interface $1

      Then run the following command to give it the correct permissions:

      sudo chown root /etc/ppp/ip-up && sudo chmod 755 /etc/ppp/ip-up

  2. Any tips on how to split the DNS as well? I’d like to use my Pi-hole for everything except the traffic directed to the VPN.

    If I add the IP address for the Pi-hole to the DNS settings for the VPN it works when I’m at home. But when I’m away from home it will fail.

  3. My OpenVPN assign me IP 10.0.8.10 on utun3 My home MacOS assigned 192.168.75.2 by home router on en0 interface. Need t access organization network over VPN running on 172.16.x.x network. One of the Machine is Proxy Server with Port xxxx which is used for accessing Office365 email. File folders are shared over 172.16.x.x network.
    How to route all normal traffic (home heavy traffic directly to the Internet) while only selected accessing network 172.16.x.x via VPN? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

List of WireGuard VPN providers
Up Next:

Complete list of WireGuard VPN providers [August 2021]

Complete list of WireGuard VPN providers [August 2021]