VPN Split Tunneling: Security Risks, When It Is Acceptable, and How to Monitor It

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The tension around split tunneling is real: full-tunnel VPN causes performance problems, capacity pressure on VPN infrastructure, and user complaints about slow internet during remote work. Split tunneling solves those problems but removes corporate web proxy, DNS filtering, and DLP from the traffic that is now going directly to the internet. The answer is not always 'refuse to allow split tunneling' -- the answer is 'identify the security controls that must remain active regardless of tunnel mode and deploy them at the endpoint level rather than at the network perimeter.'
What Security Controls Split Tunneling Bypasses
Understanding exactly what is lost with split tunneling is the prerequisite for compensating control selection.
Controls that break:
- Perimeter web proxy / Secure Web Gateway (SWG): Internet-bound traffic does not pass through the corporate proxy, so URL categorization, SSL inspection, and content filtering do not apply to remote users
- Perimeter DNS filtering: DNS queries for internet domains may not go to the corporate recursive resolver (depends on DNS split-brain configuration), bypassing DNS-based threat blocking (sinkholing of known C2 domains)
- Network DLP: Data exfiltration to external services does not pass through the corporate DLP sensor at the perimeter
- NetFlow / IPFIX monitoring: The SOC cannot see internet-bound traffic from the endpoint -- only traffic to internal corporate networks
- Firewall egress policies: Outbound connections to blocked categories (cryptocurrency exchanges, personal cloud storage, known malicious IPs) are not blocked by corporate firewall rules
Controls that still work:
- EDR: Endpoint Detection and Response agents run on the device regardless of network path. Process execution, file modifications, and lateral movement to internal hosts are still visible
- Defender / AV: On-device antivirus still scans downloads and running processes
- Endpoint-based DNS security: If DNS filtering is deployed as an endpoint agent (Umbrella Roaming Client, Cloudflare WARP) rather than relying on resolver IP routing, it still works in split tunnel mode
When Split Tunneling Is an Acceptable Tradeoff
Split tunneling is defensible under these conditions:
Acceptable:
- You have an endpoint DNS security agent deployed that provides C2 domain blocking regardless of VPN state (Umbrella Roaming Client, Zscaler Client Connector, Cloudflare Gateway with WARP agent)
- You have EDR deployed and the EDR platform has network visibility (process-level network telemetry, not just perimeter NetFlow)
- The applications being split-tunneled are well-known SaaS applications (Microsoft 365, Zoom, Google Workspace) with specific IP ranges and no DLP risk
- Your DLP controls are applied at the SaaS application layer (CASB, Microsoft Purview, Google DLP) rather than relying on perimeter inspection
Not acceptable:
- Your only DNS protection is a perimeter DNS resolver with no endpoint agent
- You have no EDR deployed or EDR is not providing network telemetry
- Users handle highly regulated data (PCI card data, PHI, classified) on their endpoints with no endpoint DLP
- You are in a regulated environment (HIPAA, PCI DSS, FedRAMP) that requires demonstrable inspection of all outbound traffic
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Compensating Controls for Split Tunnel Environments
If split tunneling is required for performance or operational reasons, these controls compensate for the lost perimeter visibility:
1. Endpoint DNS Security Agent (highest priority) Deploy a DNS security agent directly on endpoints that enforces DNS filtering regardless of VPN state:
- Cisco Umbrella Roaming Client
- Cloudflare Gateway with WARP
- Zscaler Client Connector with DNS control
This is the single most important compensating control because C2 over HTTPS blends in, but C2 domain resolution is still visible in DNS.
2. CASB for SaaS visibility Cloud Access Security Broker provides visibility and DLP for SaaS application usage:
- Can enforce policies on Microsoft 365, Google Workspace, Box, etc. at the application API layer regardless of network path
- Identifies shadow IT (unauthorized SaaS usage) that perimeter inspection would have caught
3. Enforce DNS configuration via MDM Prevent users from changing DNS to bypass endpoint DNS security:
# Intune: Device Configuration > DNS settings
# Or via GPO for domain-joined devices:
Set-DnsClientServerAddress -InterfaceAlias 'Wi-Fi' -ServerAddresses '208.67.222.222'
# Lock DNS server settings to prevent user modification
4. EDR Network Telemetry Configure EDR to log all network connections from the endpoint, not just those matching threat signatures:
- CrowdStrike: Falcon Network Containment + network telemetry enabled
- SentinelOne: Deep Visibility network events
- Microsoft Defender for Endpoint: Advanced Hunting, DeviceNetworkEvents table
Detecting Unauthorized Split Tunneling
When your VPN policy says full-tunnel but you suspect users or malware are bypassing it:
Method 1: Check the routing table on the endpoint
# Windows -- should show default route (0.0.0.0/0) via VPN adapter when in full-tunnel mode
route print
# If you see 0.0.0.0 with a gateway pointing to the physical NIC, split tunneling is active
# macOS
netstat -rn
# Same check -- default route should be via utun (VPN adapter)
Method 2: EDR telemetry for internet-bound connections while VPN is active
// Microsoft Defender for Endpoint Advanced Hunting
// Find devices with VPN processes running that also have direct internet connections
DeviceNetworkEvents
| where RemoteIPType == "Public"
| join kind=leftsemi (
DeviceProcessEvents
| where FileName in~ ("vpnagent.exe", "GlobalProtect.exe", "zscaler.exe", "FortiClient.exe")
| distinct DeviceId
) on DeviceId
| where RemotePort in (80, 443, 8080, 8443)
| summarize count() by DeviceName, RemoteUrl
| where count_ > 100
Method 3: VPN gateway logs -- identify users sending minimal traffic A user who is 'connected' to the VPN but whose traffic volume through the VPN is near zero while their endpoint is clearly active is likely split tunneling or tunneling only a small amount:
# Look for sessions with low bytes-in/bytes-out relative to session duration
# Specific query depends on your VPN gateway -- Cisco, Palo Alto, Fortinet all have session logs
The bottom line
Split tunneling is a security tradeoff, not an inherent security failure. Full-tunnel VPN is the more secure default but creates real operational problems at scale. The defensible split-tunnel posture requires: an endpoint DNS security agent for C2 domain blocking, EDR with network telemetry for process-level visibility, and CASB or endpoint DLP if your users handle regulated data. Without at least an endpoint DNS agent, split tunneling removes your primary visibility into the most common modern malware communication channel. Audit your VPN session logs regularly for users with low through-tunnel traffic volumes -- they are likely already bypassing your full-tunnel policy.
Frequently asked questions
Is split tunneling more or less secure than a full-tunnel VPN?
Full-tunnel VPN is more secure from a network visibility and control perspective. It routes all traffic through corporate security controls. Split tunneling trades that visibility for performance and capacity. The security gap depends entirely on what controls you have at the endpoint level to compensate. With a mature endpoint security stack (EDR, endpoint DNS filtering, CASB), split tunneling's residual risk is much smaller than with no endpoint controls. With no compensating controls, split tunneling leaves internet-bound traffic from corporate endpoints completely uninspected.
What is the difference between split tunneling and reverse split tunneling?
In standard split tunneling, specific corporate-bound traffic goes through the VPN tunnel and everything else (internet traffic) goes directly to the internet. In reverse split tunneling (sometimes called inverse split tunneling), specific internet-bound traffic is excluded from the tunnel while everything else goes through the VPN. Reverse split tunneling is often used to exclude high-bandwidth applications like video conferencing and software updates from VPN traffic. Both configurations create the same fundamental visibility gap for the traffic that is not tunneled.
Does Microsoft recommend split tunneling for Microsoft 365?
Yes, Microsoft explicitly recommends split-tunneling Microsoft 365 Optimize-category endpoints out of the VPN tunnel. The rationale is that O365 traffic routed through a VPN hairpin adds latency, reduces reliability, and creates VPN infrastructure capacity problems. Microsoft publishes specific IP ranges and FQDNs for these endpoints. This recommendation applies only to those specific endpoints -- it is not a blanket endorsement of split tunneling for all traffic. Organizations frequently misread this as 'split tunneling is fine' and end up with far more traffic excluded from the tunnel than Microsoft intended.
Can malware use split tunneling to bypass corporate controls?
Yes, this is the primary security concern. On a split-tunnel VPN, malware running on the endpoint can communicate with C2 infrastructure over the internet without passing through any corporate security inspection point. The C2 traffic is just another HTTPS connection to the internet from the endpoint's perspective. EDR network telemetry and endpoint DNS security are the controls that address this -- they operate at the endpoint, not the network perimeter, and therefore remain effective regardless of VPN tunnel configuration.
How do I enforce full-tunnel VPN policy and prevent users from changing it?
Full-tunnel enforcement is a VPN client configuration setting, not a user-accessible toggle. Enforce it via your MDM profile (Intune, Jamf) that deploys the VPN client configuration -- lock down the profile so users cannot modify the split tunneling setting. For Windows: configure the VPN profile via Intune Device Configuration, set Split Tunneling to disabled, and mark the profile as non-removable. For macOS: use a Jamf profile with a locked VPN payload. Verify enforcement by checking the routing table on managed devices after VPN connection (route print on Windows, netstat -rn on macOS) -- the default route should point through the VPN adapter.
How do I monitor split-tunnel VPN environments to detect exfiltration that bypasses corporate controls?
In a split-tunnel environment, corporate security controls (proxy, DLP, IDS) do not inspect direct internet traffic. Compensating monitoring controls: DNS security at the endpoint (Umbrella, Cloudflare Gateway for Teams) applies security filtering to DNS queries regardless of VPN tunnel configuration, blocking C2 domains and logging all DNS resolutions. EDR network telemetry records all outbound connections from the endpoint including traffic that does not traverse the VPN, providing visibility into direct internet connections. Agent-based DLP on the endpoint monitors file operations and network transfers at the process layer, catching data movement to cloud storage or external hosts even without network traffic inspection. For detecting large data exfiltration: compare data volumes in VPN logs (corporate traffic) against MDM/EDR agent network statistics (total traffic including internet) -- a large discrepancy between the two indicates significant direct internet traffic worth investigating.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
