A full-device VPN is a blunt tool. Banking apps complain, smart-home loses devices, your phone routes its own diagnostics through someone else's exit. Battery drains faster. Local services — Chromecast, AirPlay, network printers — disappear from the LAN.
Split tunneling, also called per-app VPN, fixes this by making the tunnel selective. You label the apps that need protection; everything else stays on the device's normal network path. The tunnel is now a tool you reach for surgically, not a switch you flip for the whole device.
The mental model is straightforward. Think of the tunnel as a labelled pipe. Apps you mark go through the pipe. Apps you don't, never see it. Updates inherit the same label. New apps install unlabelled and stay direct unless you decide otherwise.
In practice this means three patterns. First: tunnel a few apps, default everything else direct (banks, taxi, food, smart-home). Best for normal life with occasional VPN need. Second: default everything to tunnel, exclude a small list. Best for travel and untrusted Wi-Fi. Third: tunnel by network — auto-on when joining unknown SSIDs, off on home Wi-Fi. Best when "trusted network" is a clean concept for you.
A common surprise: some apps embed webviews that share the system network stack. You might tunnel "Chrome" and discover an in-app browser of an unrelated app uses the same routing. The Android API exposes this consistently — the per-app rule applies to whatever process makes the network call. Verify with QPOL's live status: turn the tunnel on, open the app, watch what flows.
Split tunneling also addresses the "VPN slows everything" complaint. The tunnel is, on average, slower than direct (extra hops, encryption overhead, sometimes a less-optimal route). When only a few apps go through it, the rest stay at native speed. Whether the slowdown matters depends on which apps you tunnel — for banking it does, for ChatGPT it almost never does.
For the implementation pattern of "tunnel only specific hostnames" (closer to per-domain than per-app, useful on servers), see the Telegram-bot-from-restricted-region use case.