This article will look at the difference between split tunnel vs full tunnel VPNs.
When you configure a VPN, you’ll have two options for VPN types that you can configure and use: split tunnel or full tunnel. The way that these two VPN types operate is drastically different and it’s important to understand exactly how they function before configuring your VPN.
The article below will look at some of the key differences between split tunnel vs. full tunnel VPNs to help you make an informed decision on which VPN type is best for you.
Split Tunnel vs. Full Tunnel
We will look at the key differences between split tunnel and full tunnel below, but will look at exactly what split tunnel and full tunnel VPNs are first.
Split Tunneling VPN
A split tunnel VPN determines which traffic is destined for the VPN connection (based on the VPN configuration) and all other traffic is sent through the local network without going through the VPN tunnel.
For example, if you configure a split tunnel VPN to only route traffic for the 192.168.10.0/24 subnet, the VPN will only be used if you’re attempting to access a device on the 192.168.10.0/24 subnet. All other traffic is routed through the local network.
Split tunnel VPNs can be viewed as a good or bad thing depending on the requirements you have. We’ll take a look at a few reasons below.
|Only the traffic destined for the network where the VPN is hosted will be sent through the VPN tunnel.||You cannot secure a connection that you don’t trust (hotel, library, etc) by connecting to a split tunnel VPN.|
|If the network where the VPN tunnel is hosted is metered (pay based on data used), full tunnel VPN clients will add to the data usage, but won’t with a split tunnel VPN.||IP addresses may periodically change, so there is generally maintenance to ensure that split-tunnel VPNs continue operating as expected.|
|The performance will be faster for general web browsing.|
Your external IP address on a split tunnel VPN will be the IP address of the network that you’re currently on.
Split Tunnel VPN Example
The image below shows a WireGuard split tunnel VPN (configured on pfSense). The AllowedIPs section is listed as 10.200.0.0/24 and 10.2.0.0/24.
The only traffic that will be routed over this VPN tunnel is the 10.200.0.0/24 and 10.2.0.0/24 subnets. All other traffic will route through the internet on the local network.
Full Tunneling VPN
A full-tunnel VPN is the complete opposite of a split-tunnel VPN. While a split tunnel VPN selectively determines which traffic should and should not be routed over the VPN tunnel, a full tunnel VPN will route all traffic over the VPN.
This can be viewed as a good or bad thing depending on the network. We’ll take a look at a few reasons below.
|You can secure a connection that you don’t trust (hotel, library, etc) by connecting a full tunnel VPN.||If the network where the VPN tunnel is hosted is metered (pay based on data used), VPN clients will add to the data usage.|
|Less maintenance overall, as there’s no requirement to maintain a list of IP addresses that should use the VPN.||If you don’t have to secure a connection (meaning you’re on a trusted network), you’re routing all traffic through the VPN tunnel which might not be necessary.|
|The performance will be slower for general web browsing.|
Your external IP address when connected to a full tunnel VPN will be the IP address of the location where the VPN server is hosted.
Full Tunnel VPN Example
The image below shows a WireGuard full tunnel VPN (configured on pfSense). The AllowedIPs section is listed as 0.0.0.0/0, which will route all traffic over the VPN tunnel.
Split Tunneling vs. Full Tunneling
When comparing split tunneling vs. full tunneling, you really have to determine the environments and which option makes more sense.
For example, in an enterprise environment where there might be VoIP calls, a split-tunnel VPN makes more sense as you might have performance issues with a full-tunnel VPN.
However, you must weigh the options if there are security benefits to routing all traffic over the VPN tunnel which won’t exist if you don’t.
Overall, the requirements determine if a split tunnel or full tunnel VPN should be used, but most people will be happy with a split tunnel VPN if accessing devices using the VPN is the only goal.
Split Tunnel vs. Full Tunnel VPN Example
The screenshot shows an example of the network flow differences between a split tunnel vs. full tunnel VPN. Notice how all traffic is routed over the VPN when connected to a full tunnel VPN.
NOTE: This is not the exact network flow. I am simplifying the process as much as I can.
Conclusion: Split Tunnel vs. Full Tunnel VPN
The article above looked at the key differences between split tunnel vs. full tunnel VPNs. In general, most people should set up both if possible so that they can secure their connection when needed and use a split tunnel VPN all other times.
For most home users, a split-tunnel VPN is best as you’ll only route traffic over the VPN when needed. For business users, there are benefits to routing all traffic over the VPN tunnel from a security perspective so that is sometimes best.
Thanks for checking out the article on split tunnel vs full tunnel VPNs. If you have any questions about split tunnel vs. full tunnel VPNs, please leave them in the comments!