How to Configure VPN Split Tunneling Through PowerShell on Windows 11

You want to send only specific traffic through your VPN connection while letting everything else use your normal internet connection. This is called split tunneling. Windows 11 supports split tunneling natively, but the Settings app does not expose the configuration options. You must use PowerShell to set up which traffic goes through the VPN tunnel and which traffic stays on the local network.

Microsoft added VPN split tunneling support to Windows 11 through the VpnConnection PowerShell module. This article explains how to configure split tunneling using the Add-VpnConnectionRoute and Remove-VpnConnectionRoute cmdlets. You will learn how to add routes for specific IP addresses or subnets, how to exclude certain traffic from the VPN, and how to verify your configuration works correctly.

By the end of this guide, you will be able to control exactly which applications and services use your VPN tunnel. You will also understand the differences between forced tunneling and split tunneling, and how to avoid common mistakes like routing all traffic through the VPN accidentally.

What Is VPN Split Tunneling and Why Use PowerShell

VPN split tunneling lets you choose which network traffic goes through the VPN tunnel and which traffic goes directly to the internet. This is the opposite of forced tunneling, where all traffic goes through the VPN. Split tunneling is useful when you only need VPN access for specific resources such as a company intranet, a remote database, or a cloud application. All other traffic like web browsing, streaming, and online gaming stays on your local connection, preserving bandwidth and reducing latency.

Windows 11 supports split tunneling through the built-in VPN client. However, the graphical interface in Settings > Network & internet > VPN only allows you to turn the VPN connection on or off. You cannot add or remove routes from the Settings app. PowerShell provides the VpnConnection module with cmdlets that let you manage VPN routes directly. You must run PowerShell as an administrator to make changes to VPN connection settings.

Prerequisites for Configuring Split Tunneling

Before you start, verify the following:

• You have an existing VPN connection configured in Windows 11. The connection must use the built-in Windows VPN client (IKEv2, SSTP, L2TP, or PPTP). Third-party VPN apps like OpenVPN or WireGuard do not support the VpnConnection PowerShell cmdlets.
• Your user account has administrative privileges on the Windows 11 device.
• You know the exact name of your VPN connection as it appears in Settings > Network & internet > VPN.
• You know the IP addresses or subnets you want to route through the VPN. For example, 10.0.0.0/8 for a corporate network or 192.168.1.100 for a specific server.

Steps to Add Split Tunneling Routes Using PowerShell

Follow these steps to configure split tunneling on your Windows 11 VPN connection. All commands must be run in an elevated PowerShell window.

1. Open PowerShell as administrator
   Press the Windows key, type PowerShell, right-click Windows PowerShell in the search results, and select Run as administrator. Click Yes in the User Account Control prompt.
2. Check your VPN connection name
   Run the command Get-VpnConnection | Format-Table Name. This displays all VPN connections configured on the device. Note the exact name of the connection you want to modify. For example, the name might be “Work VPN” or “Company Tunnel”.
3. Add a route for a specific subnet
   Run the command Add-VpnConnectionRoute -ConnectionName "Your VPN Name" -DestinationPrefix 10.0.0.0/8 -PassThru. Replace “Your VPN Name” with the actual connection name from step 2. Replace 10.0.0.0/8 with the subnet you want to route through the VPN. The -PassThru parameter shows the updated connection object after the route is added.
4. Add a route for a single IP address
   Run the command Add-VpnConnectionRoute -ConnectionName "Your VPN Name" -DestinationPrefix 192.168.1.100/32 -PassThru. The /32 netmask tells Windows to route only that single IP address through the VPN.
5. Verify the added routes
   Run the command Get-VpnConnection -Name "Your VPN Name" | Select-Object -ExpandProperty Routes. This lists all routes currently configured for split tunneling on that connection. Each route shows the DestinationPrefix and the metric.
6. Connect to the VPN and test
   Open Settings > Network & internet > VPN, select your VPN connection, and click Connect. After connecting, use the ping command to test traffic to a routed IP address: ping 10.0.0.1. If the route is working correctly, you should get a reply. Traffic to IP addresses not in the route list will go through your normal internet connection.

Removing a Split Tunneling Route

If you need to remove a route, use the Remove-VpnConnectionRoute cmdlet. The syntax is identical to Add-VpnConnectionRoute. For example:

Remove-VpnConnectionRoute -ConnectionName "Your VPN Name" -DestinationPrefix 10.0.0.0/8 -PassThru

After removal, run Get-VpnConnection again to confirm the route is gone.

Common Mistakes and Things to Avoid

Routing All Traffic Through the VPN by Mistake

If you add a route for 0.0.0.0/0, Windows will route all internet traffic through the VPN tunnel. This effectively disables split tunneling and turns your connection into forced tunneling. Only use 0.0.0.0/0 if you intend to send all traffic through the VPN. For split tunneling, always use specific subnets or IP addresses.

VPN Connection Name Contains Spaces

If your VPN connection name contains spaces, you must enclose the name in double quotes in the PowerShell command. For example: -ConnectionName "Contoso VPN". Failing to use quotes causes a parameter error.

Routes Are Not Applied Immediately

Routes added with Add-VpnConnectionRoute are stored in the VPN profile. They take effect only after you connect to the VPN. If you add routes while the VPN is already connected, you must disconnect and reconnect for the new routes to apply.

Using the Wrong Netmask

The DestinationPrefix parameter requires a valid CIDR notation. For a single IP address, use /32. For a Class C subnet, use /24. For a Class B subnet, use /16. Using an incorrect netmask may route more or fewer IP addresses than intended.

Third-Party VPN Clients Are Not Supported

The Add-VpnConnectionRoute cmdlet only works with VPN connections created by the built-in Windows VPN client. If you use a third-party VPN app like NordVPN, ExpressVPN, or OpenVPN GUI, those connections do not appear in Get-VpnConnection and cannot be modified with these cmdlets. You must configure split tunneling inside the third-party app itself.

Split Tunneling vs Forced Tunneling: Key Differences

Item	Split Tunneling	Forced Tunneling
Traffic routing	Only specified traffic goes through VPN	All traffic goes through VPN
Bandwidth usage	Lower; local traffic bypasses VPN	Higher; all traffic consumes VPN bandwidth
Latency	Lower for non-VPN traffic	Higher for all traffic due to VPN hop
Security	Less secure; local traffic is not encrypted	More secure; all traffic is encrypted
Configuration method	PowerShell Add-VpnConnectionRoute	Default VPN behavior; no routes needed
Use case	Accessing specific corporate resources	Full privacy or geo-spoofing

This table summarizes the main trade-offs. Choose split tunneling when you need VPN access for specific services but want to keep local traffic fast. Choose forced tunneling when you require all traffic to be encrypted.

You now know how to configure VPN split tunneling on Windows 11 using PowerShell. You can add routes for specific subnets or single IP addresses, verify the configuration with Get-VpnConnection, and remove routes when they are no longer needed. For advanced management, consider creating a PowerShell script that adds multiple routes at once using a loop or importing routes from a CSV file. This approach saves time when setting up split tunneling on multiple devices in your organization.