Back to Blog
vpnsplit tunnelingrouterprivacytroubleshooting

How to Set Up VPN Split Tunneling on Your Router

Router-level VPN split tunneling lets you choose which devices use the VPN and which connect direct — protecting what matters without slowing down everything else. Here’s how to set it up on ASUS, DD-WRT, and OpenWrt routers.

How to Set Up VPN Split Tunneling on Your Router
7 min read

When you run a VPN on your router, every device on your network — your laptop, phone, smart TV, and gaming console — gets tunneled through the VPN simultaneously. That sounds great for privacy, but it comes with a real cost: VPN encryption adds latency and can cut your speeds by 20–50% depending on the server distance and protocol. Split tunneling solves this by letting you choose which devices (or traffic) use the VPN and which connect directly to the internet.

Setting it up at the router level is more powerful than doing it per-app on a single device, because it covers every device on your network — including smart TVs and gaming consoles that have no native VPN support.

What Is VPN Split Tunneling?

Split tunneling divides your network traffic into two paths: traffic you want encrypted goes through the VPN tunnel, and everything else takes a direct route through your ISP. At the router level, you typically configure this by device IP address, meaning Device A (your work laptop) always goes through the VPN while Device B (your gaming console) goes direct.

The result is privacy and geo-unblocking for the devices that need it, without sacrificing speed on the devices that don’t. Benchmarks consistently show that correctly configured split tunneling improves overall network performance by 40–60% compared to routing all traffic through the VPN.

What You Need Before You Start

  • A router with split tunneling support: ASUS with VPN Fusion, or a router flashed with DD-WRT or OpenWrt
  • An active VPN subscription that supports router-level connections (NordVPN, ExpressVPN, Mullvad, and ProtonVPN all support OpenVPN and WireGuard on routers)
  • VPN configuration files (.ovpn for OpenVPN or a WireGuard config file) from your VPN provider
  • The static IP addresses of the devices you want to route through or around the VPN

Assign static IPs to the devices you plan to route before starting — it makes policy rules permanent even after devices reconnect. Do this in your router’s DHCP section by binding each device’s MAC address to a fixed IP.

Setting Up Split Tunneling on ASUS Routers (VPN Fusion)

ASUS’s VPN Fusion feature, available on most ASUS routers running firmware 388 or later, lets you run multiple VPN connections simultaneously and assign individual devices to each one. It is the easiest consumer router implementation of split tunneling available today.

Step 1: Configure the VPN Client

Log into your router at router.asus.com or 192.168.1.1. Go to VPN → VPN Fusion and click Add Profile. Select your VPN protocol (OpenVPN or WireGuard), upload your provider’s config file, and enter your credentials. Save and enable the profile.

Step 2: Create the Exception List

Within the VPN Fusion profile, click the Exception List button. Here you assign devices to either the VPN tunnel or the direct internet connection. Select a device by name or MAC address, choose its connection (the VPN profile name or “default” for direct internet), and click OK. Repeat for each device you want to route differently.

Step 3: Apply and Test

Click Activate then Apply. On a device routed through the VPN, visit a site like ipleak.net to confirm the VPN’s IP address is showing. On a device set to direct, confirm your real ISP IP appears. Run a speed test on both devices to verify performance — direct-routed devices should show full line speeds.

Setting Up Split Tunneling on DD-WRT Routers

DD-WRT supports policy-based routing for VPN split tunneling, though the setup requires more manual configuration than ASUS VPN Fusion.

Step 1: Set Up the VPN Client

In the DD-WRT dashboard, go to Services → VPN. Enable the OpenVPN Client, paste in your VPN provider’s configuration, and enable the client. Most major VPN providers publish DD-WRT-specific setup guides in their support documentation.

Step 2: Configure Policy-Based Routing

In the OpenVPN client section, find the Policy Based Routing box. Enter the IP addresses of devices you want routed through the VPN, one per line (e.g., 192.168.1.100 for your laptop). Devices not listed will use the regular internet connection. Click Apply Settings.

A cleaner alternative: assign all VPN-bound devices static IPs in a dedicated sub-range (e.g., 192.168.1.100–150) and route that entire range through the VPN, leaving the normal DHCP range (192.168.1.2–99) on direct internet. This makes it trivial to add devices — just give them an IP in the VPN range.

Setting Up Split Tunneling on OpenWrt

OpenWrt’s split tunneling is the most flexible option but also the most technical. The approach uses policy routing rules and firewall marks to tag traffic from specific source IPs and send it through the VPN interface.

Install the pbr (Policy Based Routing) package via System → Software in the LuCI interface. This adds a Policy-Based Routing menu where you create rules mapping source IP addresses to your VPN interface (tun0 for OpenVPN or wg0 for WireGuard) or to the WAN interface for direct traffic. The OpenWrt forum maintains a thorough step-by-step thread if you need the complete walkthrough for your specific hardware.

Which Devices Should Use the VPN?

A common and practical split tunneling setup:

  • Route through VPN: Work laptop, personal phone, a streaming stick for accessing geo-restricted content
  • Route direct: Gaming consoles (lower latency is critical), smart home hubs, security cameras, IoT devices

Gaming through a VPN almost always increases ping by 20–80 ms depending on server location. Routing your console direct while keeping your laptop on the VPN is the single most popular reason people configure split tunneling at the router level. For more on gaming latency, see our guide on how to reduce WiFi latency.

Troubleshooting Split Tunneling

If a device that should be going direct still shows the VPN’s IP address, double-check that its IP matches the exception or policy rule exactly. IP addresses change if DHCP reassigns them on reconnection — this is why binding devices to static IPs before you start is essential, not optional.

If VPN-routed devices are still slow after split tunneling is configured, try switching your VPN protocol to WireGuard if your provider supports it. WireGuard is significantly faster than OpenVPN and typically cuts VPN overhead in half. For a full protocol comparison and setup walkthrough, see our guide on how to set up a VPN on your router.

Related Articles

Blog8 min

How to Fix Slow WiFi Speeds When Using a VPN: Split Tunneling, Protocol Selection, and Router-Level Tips

A VPN can cut your effective WiFi speed by 20–60%. Here’s how to recover most of that lost performance with split tunneling, smarter protocol choices, and a few router tweaks.

Apr 24Read
Blog9 min

How to Set Up a VPN on Your Router: Complete Guide

Setting up a VPN on your router protects every device on your network at once — including smart TVs and game consoles that can’t run VPN apps. Here’s everything you need to know.

Apr 5Read
Blog8 min

How to Fix Double NAT on Your ISP Modem/Router Combo: Bridge Mode, IP Passthrough, and When It Matters

Double NAT happens when your ISP gateway and your own router both perform network address translation, causing Strict NAT, failed port forwarding, and VPN problems. Here’s how to detect it and fix it with bridge mode or IP passthrough.

May 8Read