Introduction to Split Tunneling

Split tunneling is a VPN configuration where only traffic destined for corporate resources is routed through the encrypted VPN tunnel, while internet traffic goes directly from the client through its local internet connection. Without split tunneling (full tunneling), all client traffic—including YouTube, Windows Update, and personal browsing—travels through the corporate VPN server, consuming WAN bandwidth and VPN server processing capacity. On Windows Server 2019 with RRAS, split tunneling is configured on both the VPN server and in the client VPN profile. This tutorial covers configuring split tunneling for both PPTP/L2TP/SSTP and IKEv2 (Always On VPN) connections.

Split Tunneling vs Full Tunneling Trade-offs

Split tunneling reduces VPN server load and gives users better internet performance while working remotely. However, it means internet traffic from VPN clients bypasses corporate security controls (web filtering, DLP, proxy). For organizations subject to strict compliance requirements, full tunneling may be required to ensure all traffic is inspected. A middle ground is “inverse split tunneling”—routing all traffic through the VPN except specific trusted destinations such as Microsoft 365 and known CDN ranges, which are permitted to go direct.

Enabling Split Tunneling on the RRAS Server

On the RRAS server, disable the Use default gateway on remote network option for VPN clients. This prevents the VPN from pushing a default route to clients. When this setting is disabled and the client is also configured for split tunneling, only routes explicitly advertised by the VPN server are used for VPN traffic.

# Open RRAS Management Console
rrasmgmt.msc

In RRAS Management, right-click the VPN server name and select Properties. On the IPv4 tab, for IP address assignment, ensure the VPN server can assign routes to clients. The split tunneling behavior is primarily controlled on the client side—the RRAS server can push specific routes to clients via DHCP or the routing table.

Configuring Split Tunneling for PPTP/SSTP VPN Clients

For traditional VPN connections (non-AOVPN), configure split tunneling in the VPN connection properties on the client. This can be deployed via Group Policy or PowerShell.

# Disable default gateway override for an existing VPN connection
$vpnConnection = Get-VpnConnection -Name "Corporate-VPN"
Set-VpnConnection -Name "Corporate-VPN" -SplitTunneling $true

# Verify the setting
Get-VpnConnection -Name "Corporate-VPN" | Select-Object Name, SplitTunneling

Adding Split Tunnel Routes

With split tunneling enabled, you must specify which IP prefixes should be routed through the VPN. Add routes for all corporate subnets. Traffic to any other destination bypasses the VPN.

# Add split tunnel routes for corporate networks
Add-VpnConnectionRoute -ConnectionName "Corporate-VPN" -DestinationPrefix "10.0.0.0/8"
Add-VpnConnectionRoute -ConnectionName "Corporate-VPN" -DestinationPrefix "172.16.0.0/12"
Add-VpnConnectionRoute -ConnectionName "Corporate-VPN" -DestinationPrefix "192.168.0.0/16"

# Verify routes are set
Get-VpnConnectionRoute -ConnectionName "Corporate-VPN"

Split Tunneling in Always On VPN (IKEv2)

For Always On VPN (IKEv2), split tunneling is configured in the VPN profile XML. Set RoutingPolicyType to SplitTunnel and explicitly list the Route elements for each corporate subnet. The AutoTrigger in DomainNameInformation can also force VPN-only DNS resolution for specific domains.

$splitTunnelProfile = @"

  
    vpn.yourdomain.com
    IKEv2
    
      Eap
    
    SplitTunnel
    true
  
  
    
10.0.0.0

    8
    1
  
  
    
172.16.0.0

    12
    1
  
  
    .yourdomain.com
    10.0.1.10,10.0.1.11
    true
  
  yourdomain.com

"@

Configuring Forced Tunneling for Specific Domains

Name-based split tunneling routes DNS queries for specific domains through the VPN tunnel while allowing all other DNS traffic to use the client’s local DNS. This ensures internal hostnames resolve correctly without routing all traffic through the VPN. Configure this in the DomainNameInformation section of the AOVPN profile.

$domainRouting = @"
  
    .yourdomain.com
    10.0.1.10
    true
  
  
    app.intranet.local
    10.0.1.10
    true
  
"@

Configuring Inverse Split Tunneling (Force Tunnel with Exclusions)

Inverse split tunneling (also called force tunnel with exclusions) sends all traffic through the VPN except for specifically excluded destinations. This is useful for sending Microsoft 365 and Azure traffic directly to improve performance while keeping all other traffic on the corporate VPN for inspection. Set RoutingPolicyType to ForceTunnel and add exclusion routes.

$forceTunnelProfile = @"

  
    ForceTunnel
  
  
    
13.107.6.0

    24
    true
  
  
    
52.96.0.0

    14
    true
  

"@

Verifying Split Tunnel Configuration

After connecting via VPN, verify that split tunneling is working correctly. Check the routing table on the VPN client to confirm only corporate subnets are routed through the VPN adapter.

# Check the routing table while connected to VPN
route print

# Or use PowerShell to view routes through the VPN adapter
Get-NetRoute -InterfaceAlias "Corporate-VPN" | 
    Select-Object DestinationPrefix, NextHop, RouteMetric

Verify internet traffic bypasses the VPN:

# This should show your ISP's IP, not the corporate VPN IP
Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing | Select-Object Content

Deploying Split Tunnel Configuration via Group Policy

For traditional VPN connections, deploy split tunneling configuration using Group Policy preferences to set registry values, or use a login script that runs Set-VpnConnection and Add-VpnConnectionRoute on each client after VPN profile creation.

# Logon script to configure split tunneling on existing VPN connection
if (Get-VpnConnection -Name "Corporate-VPN" -ErrorAction SilentlyContinue) {
    Set-VpnConnection -Name "Corporate-VPN" -SplitTunneling $true
    Add-VpnConnectionRoute -ConnectionName "Corporate-VPN" -DestinationPrefix "10.0.0.0/8" -ErrorAction SilentlyContinue
    Add-VpnConnectionRoute -ConnectionName "Corporate-VPN" -DestinationPrefix "172.16.0.0/12" -ErrorAction SilentlyContinue
}

Conclusion

Split tunneling for VPN on Windows Server 2019 significantly reduces bandwidth consumption and improves performance for remote users by routing only corporate traffic through the encrypted tunnel. The choice between split tunneling, full tunneling, and inverse split tunneling should be based on your security requirements—organizations with strict DLP and web filtering requirements may prefer full or inverse tunneling. For Always On VPN, the XML profile approach gives fine-grained control over exactly which subnets and domains are handled by the VPN, enabling precise optimization of remote access traffic flows.