Skip to main content

Split Tunneling

Overview

Split tunneling is an AmneziaVPN feature that lets you choose IP addresses/subnets and apps that should either use the VPN tunnel or bypass it.

Depending on your operating system, AmneziaVPN may support both types of split tunneling (by IP addresses/subnets and by apps) or only one of them (by IP addresses/subnets). Each type usually has two modes — items from your list can go through VPN or without VPN.

  • Android — split tunneling can be configured both by IP addresses and by apps. For each type there are two modes: selected IPs/apps work through VPN or without VPN.
  • Windows — split tunneling can be configured by IP addresses and by apps, but two modes are available only for IP addresses. For apps there is a single exceptions mode: selected apps work without VPN (the opposite mode is not available).
  • iOS / macOS / Linux — split tunneling can be configured only by IP addresses and is not available by apps.
Only IPs from list through VPNOnly IPs from list bypass VPNOnly apps from list through VPNOnly apps from list bypass VPN
Android
Windows
iOS
macOS
Linux

On Windows and Android you can enable both split-tunneling types at the same time — by IPs and by apps.

Split Tunneling by IP Subnets and IP Addresses

AmneziaVPN supports IPv4 only and does not support IPv6.

For Amnezia connection, split tunneling by IP addresses is not available.

Split tunneling by IP addresses affects not only websites in a browser, but also apps — they reach out to specific IP addresses exactly like websites do.

This means:

  • when you open a website or an app, your system silently connects to specific IP addresses used by that site or app;
  • if you add the IP addresses/subnets of a service (for example, Telegram) to split tunneling, the rule will apply to both the site web.telegram.org and the Telegram app.

This logic applies to any service that has both a website and an app.

Large services usually rely on many IPs for correct operation. For a site like YouTube, this may involve thousands of IP addresses.

If you add only the domain, e.g., youtube.com, to your split-tunneling list, the site might still not work reliably. In this case the AmneziaVPN app resolves the domain once into the current set of IPv4 address, stores that set and does not update it automatically.

To obtain all IP addresses/subnets a website or service may require, we recommend iplist: https://iplist.opencck.org. In a couple of clicks it generates a file with the IP addresses/subnets needed for a given site/service/app.

Special thanks to Rekryt for creating the service!
Learn more in the author's repository on GitHub.

Mode 1: "Only the sites listed here will be accessed through the VPN"

This is the most effective and recommended method on Windows/iOS/macOS/Linux.

  1. Go to https://iplist.opencck.org → choose format Amnezia and data type IPv4 IP zones (CIDR).

  1. Tick the sites or categories you want to send through VPN.

  2. At the bottom, check Save as file and click Submit — the file ip-list.json will be saved to your device.

  1. Open split tunneling settings for sites (IPs) in AmneziaVPN and select Only the sites listed here will be accessed through the VPN.

  1. Click (three dots) and choose how to import (Replace site list or Add imported sites to existing ones).

  1. Select the previously downloaded ip-list.json and import it → enable split tunneling for sites and connect to VPN.

Wide IP subnets for large services like YouTube or Discord may capture IPs of unrelated sites/services. For example, your online game server connection may end up going through VPN.

If that happens, find out which IPs the app actually connects to and remove from your split list those subnets that contain those IPs.

You can do this with Windows Resource Monitor or third-party tools such as TCPView.

Mode 2: "Addresses from the list should not be accessed via VPN"

We recommend using this mode only if you want everything to go through VPN except your local/ISP networks.

If you want sites like gosuslugi.ru or mos.ru to open without VPN, it's often easier to go the other way: configure split tunneling by the list of IPs that should go through VPN (everything else will bypass VPN), or use the app exceptions list (e.g., make one browser your "no-VPN window").

  1. Open split tunneling settings for sites and select Addresses from the list must not go through VPN.

  2. Add the following IP subnets (CIDR):

    • 192.168.0.0/16
    • 172.16.0.0/12
    • 10.0.0.0/8
    • 169.254.0.0/16
    • 100.64.0.0/10

  3. Enable split tunneling for sites and connect to VPN.

If you still prefer to configure split tunneling by exceptions (only selected addresses bypass VPN), you can obtain a site's IPs with nslookup:

  • nslookup gosuslugi.ru
  • nslookup esia.gosuslugi.ru
  • nslookup lk.gosuslugi.ru
  • nslookup pos.gosuslugi.ru

Split Tunneling by Apps on Windows

In Windows, AmneziaVPN supports a single app split mode in which only apps from your list work without VPN. The opposite mode — "only apps from the list work through VPN" — is available in AmneziaVPN on Android and is not available on Windows.

How to enable app split tunneling on Windows

  1. Open App-based split tunneling and click ➕ (plus).

  1. Select the app executables (.exe) that should work without VPN.

  1. Enable split tunneling for apps and connect to VPN.

How to find the right executable to add

We recommend AppNetworkCounter: https://www.nirsoft.net/utils/appnetworkcounter-x64.zip (portable, no install).

AppNetworkCounter shows processes that are currently using the network and the Application Path for each — exactly what you need to add to the app split list.

To copy the path, double-click a process and copy the Application Path value.

If, after adding the main executable, the app still uses VPN, it likely launches additional processes that do not maintain a constant network connection — you might have missed them in AppNetworkCounter. Search for guidance like split tunneling app_name to see which extra executables others have added successfully.

Apps Often Added to Split Tunneling on Windows

  1. Torrent client — to download/seed without VPN on any AmneziaVPN location (torrent traffic is restricted on all locations except Switzerland).
  2. Secondary browser — to always have a browser window outside VPN. Useful if you don't want to configure IP split but still need the ability to open any site without VPN at any time.
  3. Game launchers/stores (Steam, Epic Games, Battle.net) — to get the maximum download speed available on your ISP plan.
  4. Alternative VPN client used for access to corporate resources.

When used simultaneously with AmneziaVPN, correct operation of the following VPN clients is not guaranteed:

  • AnyConnect
  • OpenConnect

Apps and games for which app split tunneling often doesn't work

This section is about app-based split tunneling. You can still often make such apps work by using IP-based split tunneling.

Frequently hard to set up to bypass an active VPN connection:

  1. Apps installed from Microsoft Store.
  2. Some games that use anti-cheat (e.g., Battlefield 6, Valorant, League of Legends).

How to play without VPN and use Discord at the same time:

  1. Go to https://iplist.opencck.org → choose format Amnezia and data type IPv4 addresses.
  2. Check the Discord section.
  3. At the bottom, check Save as file and click Submit.

  1. In AmneziaVPN open split tunneling for sites and select Only the sites listed here will be accessed through the VPN.

  1. Click (three dots) and choose Replace site list.

  1. Select the downloaded ip-list.json and enable split tunneling for sites.

  1. Disable app split tunneling completely.

Split Tunneling by Apps on Android

  1. Open App-based split tunneling and choose the mode you need.
  2. Select the apps to add and click Add selected.
  3. Enable split tunneling and connect to VPN.

Some apps (e.g., Gemini) may not appear in the list and cannot be added.

In that case, go the other way around: enable split tunneling for the apps that must work without VPN (e.g., banking or government apps). All other apps will then work through VPN, including Gemini.

Enabling app-based split tunneling (X, Instagram, YouTube, etc.) does not affect the websites of those services opened in a browser.

The browser is a separate app that follows its own split-tunneling rules.

FAQ

Why can't I connect to my self-hosted VPN after enabling split tunneling?

Typically, your server's IP address belongs to one of the IP subnets you added to IP split tunneling. Find and remove that subnet, then try connecting to your self-hosted VPN again.

Why can split tunneling fail even when configured correctly?

This is a known issue in older AmneziaVPN versions (up to and including 4.8.8.3).
Please install the latest version of AmneziaVPN:

Why does an Android app that should bypass VPN still report that a VPN is in use?

The app may detect that a VPN is active on the system — this doesn't automatically mean the app's traffic goes through VPN.

Can I enable both IP and app split tunneling at the same time?

Yes — on Windows and Android.

When will Windows get the second app split mode (only selected apps through VPN)?

We do not have an ETA for the mode where only apps from the list use the VPN tunnel.

When will app split tunneling be available on iOS/macOS/Linux?

We do not have an ETA for app split tunneling on iOS/macOS/Linux due to platform limitations.