PRACTITIONER GUIDE | NETWORK SECURITY
Practitioner GuideUpdated 11 min read

VPN Split Tunneling: Security Risks, When It Is Acceptable, and How to Monitor It

Visibility gap
is the primary risk of split tunneling. Internet-bound traffic from the endpoint bypasses corporate web proxies, DNS security, and DLP controls. An endpoint infected with malware can communicate with C2 servers over the internet without the traffic passing through any corporate inspection point
C2 via HTTPS
is the dominant command-and-control mechanism for modern malware because it blends into normal web traffic. On a split-tunnel VPN, malware C2 traffic goes directly from the endpoint to the internet, never touching your firewall, proxy, or DNS security controls
Microsoft 365 split tunnel
is explicitly recommended by Microsoft for Microsoft 365 traffic because routing O365 through a VPN adds latency and can cause intermittent connectivity issues. This Microsoft guidance is frequently misapplied as 'split tunneling is fine for everything'
EDR + DNS security
are the compensating controls that maintain visibility for split-tunnel configurations. EDR covers endpoint process and network activity. DNS security (Cisco Umbrella, Cloudflare Gateway, Zscaler) covers C2 domain detection regardless of VPN state

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The tension around split tunneling is real: full-tunnel VPN causes performance problems, capacity pressure on VPN infrastructure, and user complaints about slow internet during remote work. Split tunneling solves those problems but removes corporate web proxy, DNS filtering, and DLP from the traffic that is now going directly to the internet. The answer is not always 'refuse to allow split tunneling' -- the answer is 'identify the security controls that must remain active regardless of tunnel mode and deploy them at the endpoint level rather than at the network perimeter.'

What Security Controls Split Tunneling Bypasses

Understanding exactly what is lost with split tunneling is the prerequisite for compensating control selection.

Controls that break:

  • Perimeter web proxy / Secure Web Gateway (SWG): Internet-bound traffic does not pass through the corporate proxy, so URL categorization, SSL inspection, and content filtering do not apply to remote users
  • Perimeter DNS filtering: DNS queries for internet domains may not go to the corporate recursive resolver (depends on DNS split-brain configuration), bypassing DNS-based threat blocking (sinkholing of known C2 domains)
  • Network DLP: Data exfiltration to external services does not pass through the corporate DLP sensor at the perimeter
  • NetFlow / IPFIX monitoring: The SOC cannot see internet-bound traffic from the endpoint -- only traffic to internal corporate networks
  • Firewall egress policies: Outbound connections to blocked categories (cryptocurrency exchanges, personal cloud storage, known malicious IPs) are not blocked by corporate firewall rules

Controls that still work:

  • EDR: Endpoint Detection and Response agents run on the device regardless of network path. Process execution, file modifications, and lateral movement to internal hosts are still visible
  • Defender / AV: On-device antivirus still scans downloads and running processes
  • Endpoint-based DNS security: If DNS filtering is deployed as an endpoint agent (Umbrella Roaming Client, Cloudflare WARP) rather than relying on resolver IP routing, it still works in split tunnel mode

When Split Tunneling Is an Acceptable Tradeoff

Split tunneling is defensible under these conditions:

Acceptable:

  • You have an endpoint DNS security agent deployed that provides C2 domain blocking regardless of VPN state (Umbrella Roaming Client, Zscaler Client Connector, Cloudflare Gateway with WARP agent)
  • You have EDR deployed and the EDR platform has network visibility (process-level network telemetry, not just perimeter NetFlow)
  • The applications being split-tunneled are well-known SaaS applications (Microsoft 365, Zoom, Google Workspace) with specific IP ranges and no DLP risk
  • Your DLP controls are applied at the SaaS application layer (CASB, Microsoft Purview, Google DLP) rather than relying on perimeter inspection

Not acceptable:

  • Your only DNS protection is a perimeter DNS resolver with no endpoint agent
  • You have no EDR deployed or EDR is not providing network telemetry
  • Users handle highly regulated data (PCI card data, PHI, classified) on their endpoints with no endpoint DLP
  • You are in a regulated environment (HIPAA, PCI DSS, FedRAMP) that requires demonstrable inspection of all outbound traffic
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Compensating Controls for Split Tunnel Environments

If split tunneling is required for performance or operational reasons, these controls compensate for the lost perimeter visibility:

1. Endpoint DNS Security Agent (highest priority) Deploy a DNS security agent directly on endpoints that enforces DNS filtering regardless of VPN state:

  • Cisco Umbrella Roaming Client
  • Cloudflare Gateway with WARP
  • Zscaler Client Connector with DNS control

This is the single most important compensating control because C2 over HTTPS blends in, but C2 domain resolution is still visible in DNS.

2. CASB for SaaS visibility Cloud Access Security Broker provides visibility and DLP for SaaS application usage:

  • Can enforce policies on Microsoft 365, Google Workspace, Box, etc. at the application API layer regardless of network path
  • Identifies shadow IT (unauthorized SaaS usage) that perimeter inspection would have caught

3. Enforce DNS configuration via MDM Prevent users from changing DNS to bypass endpoint DNS security:

# Intune: Device Configuration > DNS settings
# Or via GPO for domain-joined devices:
Set-DnsClientServerAddress -InterfaceAlias 'Wi-Fi' -ServerAddresses '208.67.222.222'
# Lock DNS server settings to prevent user modification

4. EDR Network Telemetry Configure EDR to log all network connections from the endpoint, not just those matching threat signatures:

  • CrowdStrike: Falcon Network Containment + network telemetry enabled
  • SentinelOne: Deep Visibility network events
  • Microsoft Defender for Endpoint: Advanced Hunting, DeviceNetworkEvents table

Detecting Unauthorized Split Tunneling

When your VPN policy says full-tunnel but you suspect users or malware are bypassing it:

Method 1: Check the routing table on the endpoint

# Windows -- should show default route (0.0.0.0/0) via VPN adapter when in full-tunnel mode
route print
# If you see 0.0.0.0 with a gateway pointing to the physical NIC, split tunneling is active

# macOS
netstat -rn
# Same check -- default route should be via utun (VPN adapter)

Method 2: EDR telemetry for internet-bound connections while VPN is active

// Microsoft Defender for Endpoint Advanced Hunting
// Find devices with VPN processes running that also have direct internet connections
DeviceNetworkEvents
| where RemoteIPType == "Public"
| join kind=leftsemi (
    DeviceProcessEvents
    | where FileName in~ ("vpnagent.exe", "GlobalProtect.exe", "zscaler.exe", "FortiClient.exe")
    | distinct DeviceId
) on DeviceId
| where RemotePort in (80, 443, 8080, 8443)
| summarize count() by DeviceName, RemoteUrl
| where count_ > 100

Method 3: VPN gateway logs -- identify users sending minimal traffic A user who is 'connected' to the VPN but whose traffic volume through the VPN is near zero while their endpoint is clearly active is likely split tunneling or tunneling only a small amount:

# Look for sessions with low bytes-in/bytes-out relative to session duration
# Specific query depends on your VPN gateway -- Cisco, Palo Alto, Fortinet all have session logs

The bottom line

Split tunneling is a security tradeoff, not an inherent security failure. Full-tunnel VPN is the more secure default but creates real operational problems at scale. The defensible split-tunnel posture requires: an endpoint DNS security agent for C2 domain blocking, EDR with network telemetry for process-level visibility, and CASB or endpoint DLP if your users handle regulated data. Without at least an endpoint DNS agent, split tunneling removes your primary visibility into the most common modern malware communication channel. Audit your VPN session logs regularly for users with low through-tunnel traffic volumes -- they are likely already bypassing your full-tunnel policy.

Frequently asked questions

Is split tunneling more or less secure than a full-tunnel VPN?

Full-tunnel VPN is more secure from a network visibility and control perspective. It routes all traffic through corporate security controls. Split tunneling trades that visibility for performance and capacity. The security gap depends entirely on what controls you have at the endpoint level to compensate. With a mature endpoint security stack (EDR, endpoint DNS filtering, CASB), split tunneling's residual risk is much smaller than with no endpoint controls. With no compensating controls, split tunneling leaves internet-bound traffic from corporate endpoints completely uninspected.

What is the difference between split tunneling and reverse split tunneling?

In standard split tunneling, specific corporate-bound traffic goes through the VPN tunnel and everything else (internet traffic) goes directly to the internet. In reverse split tunneling (sometimes called inverse split tunneling), specific internet-bound traffic is excluded from the tunnel while everything else goes through the VPN. Reverse split tunneling is often used to exclude high-bandwidth applications like video conferencing and software updates from VPN traffic. Both configurations create the same fundamental visibility gap for the traffic that is not tunneled.

Does Microsoft recommend split tunneling for Microsoft 365?

Yes, Microsoft explicitly recommends split-tunneling Microsoft 365 Optimize-category endpoints out of the VPN tunnel. The rationale is that O365 traffic routed through a VPN hairpin adds latency, reduces reliability, and creates VPN infrastructure capacity problems. Microsoft publishes specific IP ranges and FQDNs for these endpoints. This recommendation applies only to those specific endpoints -- it is not a blanket endorsement of split tunneling for all traffic. Organizations frequently misread this as 'split tunneling is fine' and end up with far more traffic excluded from the tunnel than Microsoft intended.

Can malware use split tunneling to bypass corporate controls?

Yes, this is the primary security concern. On a split-tunnel VPN, malware running on the endpoint can communicate with C2 infrastructure over the internet without passing through any corporate security inspection point. The C2 traffic is just another HTTPS connection to the internet from the endpoint's perspective. EDR network telemetry and endpoint DNS security are the controls that address this -- they operate at the endpoint, not the network perimeter, and therefore remain effective regardless of VPN tunnel configuration.

How do I enforce full-tunnel VPN policy and prevent users from changing it?

Full-tunnel enforcement is a VPN client configuration setting, not a user-accessible toggle. Enforce it via your MDM profile (Intune, Jamf) that deploys the VPN client configuration -- lock down the profile so users cannot modify the split tunneling setting. For Windows: configure the VPN profile via Intune Device Configuration, set Split Tunneling to disabled, and mark the profile as non-removable. For macOS: use a Jamf profile with a locked VPN payload. Verify enforcement by checking the routing table on managed devices after VPN connection (route print on Windows, netstat -rn on macOS) -- the default route should point through the VPN adapter.

How do I monitor split-tunnel VPN environments to detect exfiltration that bypasses corporate controls?

In a split-tunnel environment, corporate security controls (proxy, DLP, IDS) do not inspect direct internet traffic. Compensating monitoring controls: DNS security at the endpoint (Umbrella, Cloudflare Gateway for Teams) applies security filtering to DNS queries regardless of VPN tunnel configuration, blocking C2 domains and logging all DNS resolutions. EDR network telemetry records all outbound connections from the endpoint including traffic that does not traverse the VPN, providing visibility into direct internet connections. Agent-based DLP on the endpoint monitors file operations and network transfers at the process layer, catching data movement to cloud storage or external hosts even without network traffic inspection. For detecting large data exfiltration: compare data volumes in VPN logs (corporate traffic) against MDM/EDR agent network statistics (total traffic including internet) -- a large discrepancy between the two indicates significant direct internet traffic worth investigating.

Sources & references

  1. NCSC: VPN configuration guidance
  2. CISA: Guidance on Virtual Private Networks
  3. Microsoft: Split tunneling considerations for Microsoft 365

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.