How to Set Up VPN Split Tunneling on Your Router

If you’ve set up a VPN on your router, you already know the problem: every device on your network gets routed through the tunnel, which can slow things down and break services that don’t work over VPN — like smart home hubs, local streaming, or banking apps that flag VPN traffic. VPN split tunneling solves this by letting you choose exactly which devices or destinations go through the VPN and which connect directly to the internet.

This guide covers how to configure split tunneling at the router level on the most popular platforms: ASUS (Asuswrt), Asuswrt-Merlin, GL.iNet, and OpenWrt.

What Is VPN Split Tunneling?

Split tunneling divides your network traffic into two streams: one encrypted and routed through the VPN server, and one that goes directly to the internet over your regular ISP connection. Instead of sending every packet through the VPN tunnel, you define rules — by device IP, by destination IP or domain, or by application — that determine which traffic takes which path.

At the device level (phone or laptop), split tunneling is a checkbox in most VPN apps. At the router level it’s more powerful: you can route an entire device (like your work laptop) through the VPN while letting your smart TV and gaming console connect directly, without installing anything on those devices.

Why Configure Split Tunneling on the Router?

• Speed: VPN encryption adds CPU overhead. Routing only the traffic that actually needs protection keeps non-VPN devices at full speed.
• Access to local services: Some smart home hubs, local NAS devices, and streaming services detect and block VPN traffic. Sending them directly bypasses those restrictions.
• Cover devices that can’t run VPN apps: Game consoles, smart TVs, and IoT devices have no VPN app support. Router-level policy routing is the only way to control how their traffic is routed.
• Selective privacy: Your work laptop can use the VPN; your kids’ tablets don’t need to. Configure once on the router, zero setup per device.

Which Routers Support Split Tunneling?

ASUS Routers — VPN Fusion

Most ASUS routers released after 2019 running Asuswrt 3.0.0.4.386 or newer support VPN Fusion, ASUS’s name for simultaneous VPN + non-VPN routing. With VPN Fusion enabled, you can assign each device on your network to either the VPN tunnel or the direct WAN connection. The RT-AX88U, RT-AX86U, GT-AX11000, and the newer RT-BE96U WiFi 7 flagship all support it.

Asuswrt-Merlin

Asuswrt-Merlin is an unofficial enhanced firmware for ASUS routers that adds granular policy-based routing (called “VPN Director” in recent builds). You can define rules based on source IP (local device), destination IP or CIDR, or domain name. Each rule independently sends matching traffic through the VPN or directly through WAN. This is the most flexible option available without a full Linux setup.

GL.iNet Routers

GL.iNet routers — including the GL-MT3000 Beryl AX and GL-AXT1800 Slate AX — run a simplified OpenWrt interface with a dedicated VPN Policy section in the admin panel. You can select “Based on the target domain or IP” or “Based on the client device” and build a whitelist or blacklist approach, all without touching the command line.

OpenWrt

OpenWrt supports split tunneling through its policy routing packages (pbr or vpn-policy-routing) and firewall marks. It’s the most powerful option but also the most technical — expect to spend time in the command line configuring ip rules, routing tables, and firewall marks. If you’re new to OpenWrt, see our guide on how to flash and configure OpenWrt before attempting policy routing.

How to Set Up Split Tunneling on an ASUS Router (VPN Fusion)

1. Log into your router admin panel at router.asus.com or 192.168.1.1.
2. Navigate to VPN → VPN Fusion.
3. Make sure you already have a VPN profile configured and active. If not, see our guide on how to set up a VPN on your router.
4. Under “VPN Fusion,” each connected device is listed. Toggle the VPN switch next to devices you want routed through the tunnel; leave others on WAN for direct internet access.
5. Click Apply. Changes take effect immediately — no reboot required.

The result: your work laptop and phone go through the VPN while your smart TV, Roku, and PS5 connect directly at full speed.

How to Set Up Split Tunneling on Asuswrt-Merlin (Policy Rules)

1. Log into the admin panel and navigate to VPN → VPN Client.
2. Under your OpenVPN or WireGuard profile, set “Redirect Internet traffic” to “Policy Rules” — or “Policy Rules (Strict)” to prevent any bypass of the defined rules.
3. A rule table appears. For each rule, specify:
   • Source IP: the local IP of the device you want to route (e.g., 192.168.1.105 for your laptop)
   • Destination: leave blank to match all destinations, or enter a specific IP or CIDR block
   • Iface: choose VPN to tunnel or WAN to bypass
4. Add a catch-all rule with a blank Source IP and WAN interface to make direct access the default for any unlisted devices.
5. Click Apply, then enable the kill switch (“Block routed clients if tunnel is down”) to prevent VPN-assigned devices from leaking to WAN if the tunnel drops.

Common Split Tunneling Use Cases

• Work laptop through VPN, everything else direct: Protect sensitive work traffic without slowing the whole household.
• Route all traffic through VPN except streaming services: Keeps Netflix, Disney+, and YouTube at full ISP speed while your browsing stays private.
• Gaming consoles direct, everything else through VPN: Low-latency gaming while maintaining household privacy. See our tips on reducing WiFi latency for further gaming optimizations.
• Route only specific destination IPs through VPN: For example, only traffic destined for your company’s IP range uses the tunnel — the rest goes direct. Useful for corporate split-tunneling policies.

Troubleshooting Split Tunneling Issues

A device meant to use WAN is still showing the VPN IP

Check that the device’s local IP hasn’t changed. If your router uses DHCP, the device may have picked up a new lease. Assign a static DHCP reservation to VPN-routed devices so their IP never changes. See our guide on how to fix WiFi IP address conflicts for more on managing local IPs.

VPN-routed devices lose internet when the tunnel drops

This is the kill switch working as intended. Enable it deliberately — it prevents private traffic from accidentally leaking through WAN if the VPN disconnects. On Merlin, this setting is labeled “Block routed clients if tunnel is down.” On GL.iNet, it’s called “VPN Kill Switch.”

Split tunneling rules aren’t taking effect

On ASUS and Merlin, restart the VPN client after saving rules. Some firmware versions require the VPN to reconnect before policy changes apply. If the issue persists, reboot the router entirely and verify the tunnel reconnects. Also confirm that your device’s IP is exactly what the rule expects — a DHCP lease change is the most common culprit.

Bottom Line

Router-level split tunneling gives you precise control over which devices and destinations use your VPN — letting you maintain privacy where you need it without sacrificing speed everywhere else. ASUS routers with VPN Fusion are the easiest path for most users; Asuswrt-Merlin adds more granular policy control; GL.iNet and OpenWrt go further for advanced setups. Once configured, run a speed test on both a VPN-routed and a direct-WAN device to confirm your rules are working exactly as intended.