How to Set Up Split Tunneling on Windows VPN: Step-by-Step App Routing (2026)

Who should enable split tunneling on Windows?

Windows users stumble into split tunneling for three recurring reasons—none of which are solved purely by shouting “disconnect when you finish.” Gaming clients need low jitter on the shortest path while the browser watches region-locked dashboards. Hybrid workers ping corporate SSO through the VPN but still rely on multicast discovery for printers downstairs. Developers run containers on RFC1918 networks that vanish whenever a clumsy installer sets “tunnel all IPv4”. Each scenario boils down to the same abstraction: splitting default routing intelligently beats toggling VPN on/off twenty times per day.

Split tunneling is not secrecy theater. It lets you articulate which workloads must inherit the confidentiality and exit geography of your VPN tunnel and which should continue to advertise your ISP’s vantage so latency-sensitive sessions stay sane. Poorly communicated split setups are how users leak DNS or misunderstand “split exclude,” so read every label deliberately before flipping toggles—not every vendor names features the same way.

Inverse split vs selective “VPN only here” setups

Most Windows guides collapse everything into jargon. Two mental models clarify the knobs you will twist inside DVDVPN—and how they resemble split strategies on Linux once you peel back the wording.

• VPN-first with explicit bypass (often called whitelist-style): Every destination rides the tunnel unless your rules mark it direct. Prefer this when secrecy is baseline and bypasses are countable—LAN printers, multicast groups, localhost-style debugging, NAS shares on 192.168.x.x. It matches the intuition “encrypt everything risky, carve out what locally must breathe.” For background on transports that pair well with disciplined routing defaults, skim VPN protocols compared: WireGuard, OpenVPN, and proprietary transports after you stabilize rules.
• Direct-first with curated tunnel targets (inverse split / blacklist-style): Most traffic skips the tunnel; only enumerated apps, domains, or subnets enter it. Reach for this when quotas matter or when you only need SaaS egress through secured infrastructure. Inverse splits reduce VPN overhead but amplify human error—you must revisit rules whenever workloads move between CDNs.

Neither mode is objectively “better.” What matters is whether your mental inventory of sensitive surfaces is short (inverse) or long (VPN-first). Windows app containers, Windows Subsystem for Linux, and virtualization layers add nuance—sometimes the process you excluded is only a shim for another executable. When in doubt, start VPN-first plus narrow LAN bypass lists, tighten later.

DVDVPN Windows: open split rules and baseline policy

Open the downloaded DVDVPN client on Windows 10 or 11, sign in, and postpone connecting until baseline routing is sane. Locate the routing or split-rule section—it typically mirrors the editors already familiar on DVDVPN desktop builds: a default stance plus ordered rules. Choosing the stance first prevents thrashing afterwards.

1. 1
   Launch DVDVPN elevated when Windows asks

   Routing changes require interacting with WinTun adapters and Windows Filtering Platform hooks. Accept the Administrator prompt honestly; rejecting it silently leaves phantom states that mimic “split enabled” while nothing changed.

2. 2
   Open Settings → Split routing (or Routing rules)

   Scan for the default dropdown—language packs may shorten labels to Direct / VPN / Bypass. Pause on each tooltip; Windows loves recycling legacy names from SSTP dialogs.

3. 3
   Pick baseline policy before adding granular rows

   Align the baseline with §2 (“VPN-first” versus “direct-first”). You can revise later but expect sockets that already warmed on the opposite path.

4. 4
   Save, then reconnect once cleanly

   Windows kernel routing tables reconcile faster when you deliberately cycle the tunnel rather than hot-swapping contradictory entries mid-session.

Need the Linux analogue for lab machines? Mirror the workflow in Ubuntu VPN install & first-time setup; policy choices transfer even when systemd handles interfaces differently.

Combining domains, subnets, and app intent

Windows rarely exposes “pure per-app knobs” globally—some vendors bury them beneath driver-specific UI. DVDVPN’s editor pairs domain wildcards with CIDR rows so administrators can articulate intent declaratively:

• Subnet rows cover printer VLANs (10.37.0.0/24), LAN discovery (224.0.0.251/32 when multicast is allowed), and docker bridges (172.21.0.0/16). Duplicate overlapping ranges carefully; narrower prefixes win readability.
• Hostname rows handle SaaS egress when IP churn is unbearable (*.vendor.example). Remember apex vs wildcard coverage—matching example.com still misses cdn.example.net unless you broaden rules.
• Effective order matters when multiple rows intersect; treat the table like a firewall chain and document why duplicates exist.

For mobile counterparts that describe split vocabulary at a glance, revisit Android VPN installation, nodes, & permission prompts—the OS surfaces differ wildly, yet the budgeting of “tunnel vs exempt” parallels Windows planning.

Practical presets (games, conferencing, corp LAN)

Below are illustrative bundles—adapt hostnames before production use.

Document deltas in a plaintext note—even future-you forgets whether /16 bypass was deliberate after the third firmware flash.

Verify Windows VPN routing without guesswork

Use layered checks rather than vibes:

• Observe public IP drift after connecting: browser-only lookups should pivot when routed through tunnel rows; unaffected apps retain ISP addresses only if inverse split behaved.
• Ping LAN fixtures (192.168.x.1) while tunnel shows active; failures usually mean stray /32 exclusions or NIC metric fights.
• Inspect DNS responders via ipconfig /all or PowerShell Get-DnsClientServerAddress; DNS split horizon misconfigurations masquerade as “random broken sites.”
• Watch client counters if DVDVPN surfaces per-process stats—traffic that flatlines implies the workload never entered the shim.
• Retest IPv6 deliberately when ISPs advertise dual-stack tunnels; asymmetric paths love hiding split mistakes until one stack fails silently.

Caches persist: restarting the affected executable often matters more than restarting the tunnel.

WSL, containers, and “which binary really talks?”

Commands you run inside Windows Subsystem for Linux or Hyper-V-backed dev environments often terminate on a separate virtual NIC. If routing looks correct from Edge but hangs inside Ubuntu-on-WSL, you likely need analogous bypass rows for those virtual subnets—not only your Wi-Fi adapter. Containers published through Docker Desktop forward across yet another invisible bridge (172.17.0.0/16 by convention), so mirrored CIDR exclusions keep internal pulls off the geographic exit you reserve for auditors. Glancing at Resource Monitor to see which executable owns an outbound socket is cheaper than refactoring rules the night before a release.

When Windows needs reconnect or firewall awareness

Windows Update, Hyper-V swaps, VMware adapter churn, or corporate Compliance agents can reinstall miniport drivers overnight. Symptoms include “everything says connected” yet routing tables silently revert. Maintain a playbook: reboot once after major cumulative updates; if split rules vanish verify you launched the client from Start as administrator so policy sync succeeded.

Third-party antivirus suites occasionally attach “HTTPS scanning” proxies that collide with layered VPN stacks—temporarily whitelist DVDVPN binaries only through official supplier guidance, never random forum scripts.

Microsoft’s own terminology moved between builds; pinning documentation links to evergreen Microsoft Learn pages referencing “Forced tunneling” helps colleagues cross-check without stale screenshots.

Why a disciplined client beats ad hoc split tweaks

Split tunneling hacks cobbled together with PowerShell snippets and deprecated TAP adapters fracture the moment DHCP renews—your gaming PC becomes the office support ticket nobody wants because “it worked yesterday.” Dedicated Windows VPN stacks that unify protocol handling, audited encryption, observable routing edits, and clear defaults reduce that lottery. Generic open-source scaffolding can be powerful academically, yet it rarely ships sane guardrails around DNS pinning, reconnect storms, or user-friendly verification.

Compared with manual assembly, DVDVPN aligns Windows behavior with sibling platforms so policy learned on macOS transfers conceptually—even when wording differs—and free accounts include starter quota without demanding a payment card upfront, which helps you rehearsal split setups before migrating production workflows. Grab the freshly signed binaries from our download page, mirror the presets above cautiously to your infra, then iterate while watching counters instead of anecdotes. Billing, traffic pooling, and device limits converge in one online account view when you graduate from experiments to everyday carry.