VPN split tunneling is a critical network security concept tested on the CompTIA Network+ N10-009 exam under Objective 4.4 (Network Security). This chapter provides a deep, exam-focused explanation of split tunneling, including its purpose, how it works at the packet level, configuration details, security implications, and common pitfalls. Expect 2-3 N10-009 questions to directly reference split tunneling, often comparing it to full tunneling or discussing its security trade-offs.
Jump to a section
Imagine a large corporation with a secure, private campus (the corporate network) and a public city (the internet). Employees have a special badge that lets them use a private express lane to the campus (the VPN tunnel). With full tunneling, every employee must take the express lane for all travel, even to the corner coffee shop (internet sites). This clogs the express lane and wastes time. Split tunneling is like giving employees the option: for trips to the campus, use the express lane; for trips to the coffee shop, just walk out the front door (direct internet access). The security team installs a gate (split tunnel policy) that checks the destination: if it's the campus, force the express lane; otherwise, allow local walking. The gate is configured with a list of campus addresses (route table) and a default rule for everything else. To prevent employees from accidentally walking into a dangerous alley (malicious site), the company might still require a security escort (web proxy) for all walking trips. This analogy mirrors the VPN client checking a routing table: traffic to corporate subnets is encrypted and sent through the tunnel; all other traffic goes directly to the local gateway.
What is VPN Split Tunneling?
VPN split tunneling is a configuration option for remote-access VPNs that allows a client device to simultaneously access both the corporate network (through the encrypted VPN tunnel) and the public internet (directly, without going through the VPN). By default, most VPN clients use full tunneling, where all traffic from the client is routed through the VPN tunnel to the corporate gateway, which then forwards internet-bound traffic to the internet. Split tunneling changes this behavior: only traffic destined for corporate resources is sent through the tunnel; all other traffic uses the client's local internet connection.
Why Split Tunneling Exists
The primary reasons for split tunneling are: - Performance and latency: Internet-bound traffic does not need to traverse the VPN concentrator, reducing latency and bandwidth consumption on the corporate internet link. - Reduced load on VPN gateways: The corporate VPN concentrator handles less traffic, allowing more concurrent users. - Access to local resources: Remote users can still print to local printers, access local file shares, or use local internet services without disruption. - Cost savings: For cloud or SaaS applications, direct internet access avoids costly MPLS or VPN bandwidth.
How Split Tunneling Works: Packet-Level Mechanism
Understanding split tunneling requires knowledge of how the VPN client builds its routing table. When a VPN connection is established, the VPN client typically: 1. Obtains an IP address from the VPN server (virtual IP). 2. Adds a default route (0.0.0.0/0) pointing to the virtual interface (full tunnel). 3. Adds specific routes for the corporate subnets (e.g., 10.0.0.0/8) pointing to the virtual interface.
With split tunneling, the VPN client does not add a default route. Instead, it only adds routes for specific corporate subnets. All other traffic uses the client's existing default route (usually the local gateway). The VPN server can push these routes via DHCP or configuration protocols like IKEv2 or OpenVPN.
For example, a Windows VPN client using IKEv2:
- After connection, the routing table shows: - 10.0.0.0/8 via the virtual interface (VPN tunnel) - 0.0.0.0/0 via the local Ethernet interface (local internet) - A packet to 8.8.8.8 (Google DNS) matches the default route (0.0.0.0/0) and goes out the local interface unencrypted. - A packet to 10.0.0.5 matches the corporate route and goes through the VPN tunnel.
Key Components and Defaults
VPN Gateway/Concentrator: The server that terminates VPN tunnels and enforces split tunneling policies. Common products: Cisco ASA, Palo Alto, OpenVPN Access Server, Windows RRAS.
VPN Client: Software on the remote device that builds the tunnel and modifies the routing table. Examples: AnyConnect, OpenVPN client, native Windows VPN.
Split Tunnel Policy: Defined on the VPN gateway, specifying which subnets are accessible via the tunnel. Often configured as a list of IP ranges or a network object group.
Inverse Split Tunneling: A variation where only specific traffic is sent directly (e.g., only Office 365 traffic bypasses the VPN). This is common in modern SD-WAN and cloud-first architectures.
DNS Settings: With split tunneling, DNS requests for corporate domains must still be resolved via corporate DNS servers, often through the tunnel. The VPN client can be configured to send DNS requests for specific domains (e.g., company.local) through the tunnel, while other DNS requests use the local DNS.
Configuration and Verification Commands
Cisco ASA Firewall (CLI)
! Define access list for split tunnel
access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.0.0.0
access-list SPLIT_TUNNEL standard permit 172.16.0.0 255.240.0.0
! Apply to group policy
group-policy Remote_Users attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNELOpenVPN Server Config
# Push routes for corporate subnets
push "route 10.0.0.0 255.0.0.0"
push "route 172.16.0.0 255.240.0.0"
# Do not push default route (split tunnel)
# Comment out or omit: push "redirect-gateway def1"Verification on Windows Client
route print
# Look for the VPN virtual interface and its routes
# Example output:
# 10.0.0.0 255.0.0.0 10.0.0.2 10.0.0.2 20
# 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25The metric values determine priority. The VPN route typically has a lower metric (higher priority) for corporate subnets.
Security Implications
Split tunneling introduces security risks: - Bypass of corporate security stack: Internet-bound traffic does not pass through corporate firewalls, IDS/IPS, or web proxies. Malicious traffic or data exfiltration can occur undetected. - Dual-homed device: The remote device is simultaneously connected to two networks (corporate and local internet), creating a potential bridge for attacks from the local network into the corporate network. - Policy enforcement: It is harder to enforce compliance (e.g., antivirus updates, host checks) if the device can access the internet directly.
Mitigations include: - Inverse split tunneling: Only allow specific low-risk traffic (e.g., SaaS) to bypass the tunnel. - DNS tunneling protection: Monitor DNS queries to prevent data exfiltration via DNS. - Endpoint security: Use host intrusion prevention and enforce security policies on the remote device. - Always-on VPN: For high-security environments, enforce full tunneling with split tunneling disabled.
Interaction with Related Technologies
DNS: With split tunneling, split DNS is often used: corporate DNS servers are reachable only through the tunnel, while public DNS servers are used for internet traffic. The VPN client can be configured to send DNS suffix search lists (e.g., company.local) to the corporate DNS.
NAC (Network Access Control): When a remote device connects via split tunnel, NAC solutions may not be able to perform posture assessment on internet-bound traffic.
SD-WAN: Modern SD-WAN solutions often use application-aware split tunneling, where traffic to specific cloud applications (e.g., Microsoft 365) is routed directly, while other traffic goes through the corporate network.
IPv6: Split tunneling must consider IPv6. If the corporate network uses IPv6, routes for IPv6 subnets must also be pushed. Some VPN clients may leak IPv6 traffic if not configured properly.
Common Pitfalls and Exam Traps
Trap: Split tunneling always improves security. Reality: It reduces security because internet traffic bypasses corporate controls.
Trap: Split tunneling is the same as full tunneling. Reality: Full tunneling sends all traffic through the VPN; split tunneling only sends specific traffic.
Trap: Split tunneling is always configured on the client. Reality: The policy is typically enforced by the VPN gateway; the client can be locked down to prevent modification.
Trap: Split tunneling only affects IPv4 traffic. Reality: IPv6 traffic must also be considered; failure to configure IPv6 split tunneling can lead to traffic leaks.
Determine Corporate Subnets
The network administrator identifies the IP address ranges that belong to the corporate network. These are typically private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or specific public IPs for data centers. This list is used to create the split tunnel policy. On the exam, you may be given a scenario where you must select which subnets should be included in the split tunnel.
Configure VPN Gateway Policy
The administrator configures the VPN gateway (e.g., Cisco ASA, Palo Alto) with a split tunnel policy. This typically involves creating an access control list (ACL) or network object group listing the corporate subnets, and then applying it to the VPN group policy. The policy is set to 'tunnelspecified' (Cisco) or equivalent, meaning only traffic to those subnets is tunneled. All other traffic uses the client's local interface.
Establish VPN Connection
The remote user initiates the VPN connection. The VPN client authenticates and negotiates security parameters (e.g., IKEv2, IPsec). The VPN server sends configuration parameters, including the split tunnel routes. The client receives the list of corporate subnets and installs routes in its routing table for those subnets, pointing to the virtual VPN interface. No default route is added.
Traffic Routing Decision
When the client sends a packet, the operating system checks the routing table. If the destination IP matches a corporate subnet route (e.g., 10.0.0.0/8), the packet is encapsulated with VPN headers (encryption and authentication) and sent through the VPN tunnel to the VPN gateway. If the destination does not match any corporate route, the packet is sent directly via the local network interface, unencrypted, to the local default gateway.
Security and Monitoring
The network team monitors traffic patterns and security events. They may enforce additional controls like requiring all internet-bound traffic to pass through a cloud web proxy (e.g., Zscaler) even when using split tunneling. This is achieved by configuring the VPN client to redirect HTTP/HTTPS traffic to the proxy. The exam may ask about the security implications of split tunneling versus full tunneling.
Troubleshoot Split Tunnel Issues
Common issues include: routes not pushed correctly (check VPN server config), client not applying routes (check client logs or 'route print'), or traffic leaking (e.g., IPv6 traffic not routed through tunnel). Tools like traceroute and packet capture (Wireshark) help verify. On the exam, you may need to identify why a user cannot access a corporate resource while using split tunneling.
Enterprise Scenario 1: Remote Access for Sales Team
A global sales team frequently travels and needs access to the corporate CRM (10.0.10.0/24) and email (10.0.20.0/24). They also need fast access to public cloud services like Salesforce and Office 365. Deploying full tunneling would force all their internet traffic through the corporate HQ, causing high latency and bandwidth costs. The solution: split tunneling. The VPN gateway is configured with split tunnel policy listing only the CRM and email subnets. The sales team's VPN clients have a split DNS configuration where queries for 'company.com' go through the tunnel, while all other DNS queries use the local internet. This reduces latency for cloud apps and lowers bandwidth usage at HQ. However, the security team implements a cloud web proxy (Zscaler) that all internet traffic must pass through, even when not tunneled. The VPN client is configured to redirect HTTP/HTTPS to Zscaler, ensuring visibility and security for internet-bound traffic.
Scenario 2: SaaS-Optimized Split Tunneling (Inverse Split)
A company adopts Microsoft 365 and wants to optimize performance. They use inverse split tunneling: only traffic to Microsoft 365 IP ranges (published by Microsoft) is allowed to bypass the VPN; all other traffic goes through the full tunnel. This is configured on the VPN gateway using a dynamic list of Microsoft 365 IPs (updated via API). The VPN client receives these routes and sends Office 365 traffic directly, reducing latency for Teams and Outlook. The rest of the traffic (including internal apps) remains tunneled for security. This is a common pattern in modern SD-WAN deployments. The exam may test the concept of 'inverse split tunneling' or 'split tunneling based on application'.
Scenario 3: Contractor Access with Full Tunneling
A company hires contractors who need access to a specific internal web app (192.168.50.0/24). To minimize security risk, the company enforces full tunneling for contractors: all traffic goes through the VPN, ensuring all internet activity is inspected by the corporate firewall. Split tunneling is disabled. This is common for untrusted devices or when strict data loss prevention (DLP) policies are required. The exam may ask: 'When should full tunneling be used instead of split tunneling?' The answer: when security and compliance require all traffic to be inspected.
N10-009 Exam Focus on VPN Split Tunneling
The CompTIA Network+ N10-009 exam tests VPN split tunneling under Objective 4.4: 'Given a scenario, configure and deploy network security solutions.' Specifically, you must understand the trade-offs between full tunneling and split tunneling, and when to use each. Expect 2-3 questions that directly reference split tunneling, often as part of a broader VPN configuration scenario.
Common Wrong Answers and Why They Are Wrong
'Split tunneling sends all traffic through the VPN.' This describes full tunneling, not split tunneling. Candidates confuse the two because they remember 'tunnel' but forget the 'split' part.
'Split tunneling is more secure than full tunneling.' This is false. Full tunneling is more secure because all traffic is inspected by corporate security appliances. Split tunneling reduces security by allowing direct internet access.
'Split tunneling is configured on the client only.' While clients can be configured, the policy is enforced by the VPN gateway. The exam may present a scenario where the client ignores the gateway's policy; the correct answer involves checking the gateway configuration.
'Split tunneling only affects IPv4.' IPv6 traffic can also be split. If IPv6 is not configured, traffic may leak outside the tunnel. The exam may test this edge case.
Specific Numbers and Terms to Know
Default route (0.0.0.0/0): In full tunneling, this route is added to the client's routing table pointing to the VPN interface. In split tunneling, it is not added.
Tunnel all vs. tunnel specified: Cisco ASA terminology. 'Tunnel all' = full tunnel; 'tunnel specified' = split tunnel.
Inverse split tunneling: Only specific traffic (e.g., Office 365) bypasses the tunnel; everything else is tunneled.
Split DNS: DNS queries for corporate domains are sent through the tunnel; others are local.
Always-on VPN: A configuration where the VPN automatically connects and split tunneling is disabled for security.
Edge Cases and Exam Traps
IPv6 leakage: If the corporate network uses IPv4 and the VPN client has an IPv6 stack, the client may send IPv6 traffic directly (not through the tunnel). The exam may ask how to prevent this: disable IPv6 on the VPN interface or push IPv6 routes.
Local network access: With split tunneling, a user can access local printers and file shares. The exam may ask: 'Which type of tunneling allows access to local resources?' Answer: split tunneling.
Performance impact: Full tunneling adds latency for all traffic; split tunneling reduces latency for internet traffic. The exam may ask: 'Which tunneling method reduces bandwidth use on the corporate internet link?' Answer: split tunneling.
How to Eliminate Wrong Answers
When faced with a question about split tunneling, ask:
Does the scenario require all traffic to be inspected? If yes, full tunneling is correct.
Does the scenario require access to local resources or reduced latency? If yes, split tunneling is correct.
Is the question about configuration? Look for keywords like 'tunnel specified' or 'route push'.
Is the question about security? Remember: full tunneling = more secure; split tunneling = less secure.
Split tunneling routes only corporate-destined traffic through the VPN; all other traffic uses the local internet connection.
Full tunneling routes all traffic through the VPN, providing greater security and inspection.
Split tunneling improves performance and reduces bandwidth costs but introduces security risks.
The VPN gateway defines split tunnel policies by pushing specific routes (e.g., 10.0.0.0/8) to the client.
Inverse split tunneling allows only specific low-risk traffic (e.g., Office 365) to bypass the tunnel.
Split DNS is often used with split tunneling to resolve corporate domains through the tunnel.
IPv6 traffic must be considered; failure to configure IPv6 routes can cause traffic leaks.
Always-on VPN with full tunneling is preferred for high-security environments.
These come up on the exam all the time. Here's how to tell them apart.
Full Tunneling
All traffic goes through the VPN tunnel.
Higher latency for internet traffic due to extra hop.
Increased load on VPN gateway and corporate internet link.
All traffic inspected by corporate security stack (firewall, IDS, proxy).
Cannot access local resources (printers, file shares) while VPN is active.
Split Tunneling
Only corporate traffic goes through the VPN tunnel; internet traffic is direct.
Lower latency for internet traffic.
Reduced load on VPN gateway and corporate internet link.
Internet traffic bypasses corporate security controls.
Can access local resources simultaneously.
Mistake
Split tunneling means all traffic goes through the VPN tunnel.
Correct
Split tunneling means only traffic destined for corporate subnets goes through the tunnel; all other traffic goes directly to the internet. Full tunneling sends all traffic through the tunnel.
Mistake
Split tunneling is always less secure than full tunneling.
Correct
Generally true, but with proper controls (e.g., cloud web proxy, endpoint security), split tunneling can be made reasonably secure. The exam treats split tunneling as less secure by default.
Mistake
Split tunneling is configured solely on the VPN client.
Correct
The VPN gateway enforces the split tunnel policy by pushing routes to the client. The client can sometimes override, but enterprise solutions lock client configuration.
Mistake
Split tunneling only applies to IPv4 traffic.
Correct
IPv6 traffic must also be considered. If the VPN does not push IPv6 routes, IPv6 traffic may leak outside the tunnel, creating a security risk.
Mistake
Inverse split tunneling is the same as full tunneling.
Correct
Inverse split tunneling is a variation where only specific traffic (e.g., SaaS) bypasses the tunnel, while all other traffic is tunneled. It is a form of split tunneling, not full tunneling.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Split tunneling sends only corporate-bound traffic through the VPN tunnel; all other traffic goes directly to the internet. Full tunneling sends all traffic through the VPN. The key difference is the default route: full tunneling adds a default route pointing to the VPN interface; split tunneling does not. Split tunneling reduces load on the VPN gateway and improves internet performance, but it bypasses corporate security controls for internet traffic.
Use split tunneling when performance and access to local resources are critical, and when internet traffic is low-risk (e.g., for a sales team using SaaS apps). Use full tunneling when security compliance requires all traffic to be inspected, for untrusted devices, or when the corporate network has strict DLP policies. The exam often presents scenarios where you must choose based on security requirements.
With split tunneling, DNS requests for corporate domains must still be resolved by corporate DNS servers. This is achieved through split DNS: the VPN client is configured to forward DNS queries for specific domains (e.g., company.local) through the tunnel to corporate DNS servers. All other DNS queries use the local DNS. Failure to configure split DNS can result in DNS leaks, where corporate hostnames are resolved by public DNS, potentially exposing internal IP addresses.
Inverse split tunneling is a configuration where only specific traffic (e.g., traffic to Microsoft 365 IP ranges) is allowed to bypass the VPN tunnel; all other traffic is tunneled. This is used to improve performance for cloud applications while maintaining security for other traffic. It is common in SD-WAN and modern VPN deployments. The exam may test this as an alternative to traditional split tunneling.
Yes. Internet traffic bypasses corporate security appliances (firewalls, IDS/IPS, web proxies), making the device vulnerable to attacks from the internet and potentially allowing malware to enter the corporate network if the device is compromised. Additionally, the dual-homed device can be used as a bridge to attack the corporate network. Mitigations include using a cloud web proxy, enforcing endpoint security, and implementing always-on VPN for sensitive users.
On the VPN client, use 'route print' (Windows) or 'netstat -rn' (Linux) to view the routing table. Look for a route to the corporate subnet (e.g., 10.0.0.0/8) pointing to the VPN virtual interface, and a default route (0.0.0.0/0) pointing to the local gateway. Perform a traceroute to a corporate IP (should go through tunnel) and to a public IP (should go directly). On the VPN gateway, check logs for connected clients and their assigned policies.
You've just covered VPN Split Tunneling — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?