VPN Split Tunneling with Twingate
by Erin Risk

VPN Split Tunneling with Twingate

VPN split tunneling is a partial solution to the performance and usability issues VPN technologies create. By concentrating all remote traffic through gateways, VPN systems burden network infrastructure and degrade the user experience. Split tunneling can fix some of these issues. However, setting up split tunneling the wrong way can create holes in a company’s secure perimeter.

In this article, we will explain the intention behind VPN split tunneling, the benefits it offers, as well as the risks it creates. We will also explain why split tunneling is another reason companies are switching from VPN systems to modern access control solutions based on Zero Trust.

What is VPN Split Tunneling

VPN split tunneling routes protect traffic through a company’s VPN gateway while sending less sensitive traffic through the user’s local network and the public internet. Split tunneling solves several problems inherent to VPN’s design.

VPN gateway performance - By default, VPN systems encrypt and route all user traffic through a VPN gateway. The encryption applies to user emails, video conference streams, and Facebook scrolling. The VPN gateway must decrypt all this traffic and then encrypt everything going back to the user. With fixed processing capacity, gateway appliances struggle with sudden surges in remote activity.

Network performance - VPN imposes a burden on the private network by concentrating all remote traffic. The private network must route all traffic, whether or not it is work-related. Networks that were not designed for high volume remote traffic will need expensive upgrades to restore bandwidth to optimal levels.

Endpoint performance - Congested VPN gateways and bandwidth-constrained private networks directly impact the user experience. In addition, user traffic must also travel through the private network to cloud resources and back. This backhaul can significantly increase latency, further undermining productivity.

Access to local resources - The all-or-nothing nature of VPN default settings can block access to local resources. A remote user sitting in a co-working space, for example, will not be able to access local networked printers while their corporate VPN is engaged.

Access to multiple resources - Companies improve network security by segmenting their networks and assigning each subnet its own VPN gateway. Users can only connect to one gateway — and one set of resources — at a time. They must disconnect and reconnect as they switch between resources.

What are the benefits of VPN Split Tunneling?

VPN split tunneling routes essential, protected traffic and non-essential, personal traffic differently. The protected traffic travels through an encrypted tunnel to the company’s VPN gateway. The remote user’s local network connection handles the non-essential traffic. Splitting traffic like this addresses the issues VPN creates.

VPN gateway performance - With less traffic arriving at the VPN gateway, the appliance’s overall workload is reduced, and congestion eases. Split tunneling lets a company’s existing gateways handle more remote users, which could postpone the need for expensive upgrades.

Network performance - As VPN gateway traffic declines, so does network traffic. Administrators can further improve performance by splitting video conferencing and other bandwidth-intensive activities from the VPN tunnel. However, traffic destined for cloud resources will still get backhauled through the company network.

Endpoint performance - The gateway and network performance improvement will bring the remote user experience closer to the in-office experience. Shifting video conferencing apps to the user’s internet connection may improve video and audio quality.

Access to local resources - VPN split tunneling applies to all network traffic on users’ devices, not just their internet traffic. As a result, users regain access to printers and other resources on their local networks.

Access to multiple resources - Companies can configure VPN split tunneling so users can have multiple active VPN sessions. This configuration eliminates the need for users to switch between gateways and improves productivity.

Different types of split tunneling

When companies want to take advantage of VPN split tunneling’s benefits, they can combine one or more of the following approaches:

Split-include - An access control list (ACL) defines which IP addresses or apps must be included in the VPN’s encrypted tunnel. All other traffic routes through the user’s local network or onto the public internet. This may be useful in bring-your-own-device scenarios. Administrators can define the company-related traffic to include in the secure VPN tunnel while leaving users’ personal activity alone.

Split-exclude - Also referred to as inverse split tunneling, this approach defines which IP addresses or apps to exclude from the encrypted tunnel. All other user traffic passes through the VPN gateway. Administrators can use split-exclude tunneling to shift bandwidth-intensive traffic off the private network.

Dynamic - When resources rely on pools of IP addresses or pass through NAT firewalls, the destination IP address will change from session to session. Rather than creating complex static ACL rules, dynamic split tunneling applies to exclude or include rules when a DNS server resolves domains.

Dual-stack networking - In many cases, the ACL rules that a VPN system applies to IPv4 traffic will not automatically apply to IPv6 traffic. Administrators can take advantage of this to apply separate rules for any applications that use IPv6. Otherwise, administrators should ensure that their VPN systems apply consistent rules to both stacks.

Are there any risks with split tunneling?

VPN split tunneling alleviates the performance and usability issues associated with VPN’s hub-and-spoke topology. However, those benefits come at a cost. The traffic that does not pass through a VPN gateway does not pass through the company’s security stack.

A split-include implementation may be particularly risky. Letting much of a user’s traffic bypass these systems create opportunities for hackers to compromise the user’s device and penetrate the company network.

Exclusion rules, whether static or dynamic, can be more secure. Administrators define the specific apps, IP addresses, or domains that can safely bypass the security stack. For example, a video conferencing service’s internal security may justify excluding its traffic from the company’s security measures.

Another risk associated with VPN split tunneling is the impact on network visibility. Certain types of user traffic will not be monitored, making it harder to identify malware or hackers moving through the network. Split tunneling can also impact security compliance as inappropriate user activity may go unmonitored.

The complexity of VPN split tunneling configurations also creates risk. Conflicting or inconsistent rules could open pathways into the network. In addition, administrators need to look closely at the applications they exclude from VPN tunnels. For example, how should the company handle a video conferencing app with file-sharing capabilities?

How Twingate can help

In today’s distributed network environment, the concentration of traffic imposed by VPN technologies does not work. Companies have many resources stored in the cloud, and work-from-home policies have become common. VPN split tunneling is a partial solution that creates problems of its own.

Twingate’s modern approach to secure access creates a distributed network architecture designed for the way companies work today. All encrypted connections between user devices and protected resources are routed along the most performant direct path:

  • Traffic between a user and an on-premise resource travels over the company network.
  • Traffic between a user and cloud-hosted resources travels over the public internet.
  • Non-essential traffic never enters secure tunnels.

Twingate’s architecture enables split tunneling by default. The user’s local network and internet connection handle all non-essential traffic. All traffic destined for protected resources passes through dedicated encrypted tunnels. Only traffic for on-premise resources reaches the private network — traffic between the user and protected cloud resources tunnels across the public internet.

Twingate’s approach eliminates the issues that VPN technologies create. Networks become more performant and simpler to manage without legacy VPN technologies. The user experience also improves as they access multiple resources through low-latency connections.

Twingate simplifies access control

VPN split tunneling is a partial fix to the issues created by VPN’s aging technology. Even when a company does everything right, maintaining these systems pile more responsibilities onto network administrators. But VPN split tunneling is easy to do wrong. And that opens holes in the secure perimeter that hackers could breach at any time.

Twingate lets companies create distributed network architectures. Users and resources connect directly, freeing private networks from unnecessary traffic and maximizing the user experience. And Twingate’s split-tunneling-by-default policies remove non-essential traffic from the company’s private network.

Contact us to learn more about Twingate’s distributed network architecture. Or try it yourself by joining our free plan for individuals and small teams.

Featured Articles