Technical · Clients

Does Split Tunneling Actually Matter? How to Use It in Shadowrocket and v2rayN

June 2, 2026 7 min read RouteVeil

Split tunneling sounds like a professional feature you probably don't need. In reality, it's one of the most useful things you can configure — and in Shadowrocket and v2rayN, it takes about 60 seconds to set up correctly.

What split tunneling actually does

Without split tunneling, every piece of internet traffic on your device goes through the VPN. Your Netflix, your banking app, your local delivery service — all of it routed through your server in Frankfurt or Singapore.

That creates two practical problems. First, it's slower than it needs to be — routing every request through a foreign server adds latency. Second, some services actively block traffic from VPN IP ranges, so your bank might suddenly refuse to let you log in.

Split tunneling solves this by letting you decide which traffic goes through the VPN and which goes directly. Apps that need to bypass censorship use the tunnel. Everything else uses your regular connection.

The key insight: A VPN that routes everything through it is like taking the highway for every errand — including the ones where walking would be faster. Split tunneling is the ability to choose when to take the highway.

The three routing modes you need to know

Most Xray-based clients — Shadowrocket, v2rayN, Hiddify — offer three fundamental modes. Understanding these is the foundation of split tunneling.

Mode 1

Proxy (全局代理 / Global)

All traffic goes through the VPN server. Simplest to understand, slowest in practice. Good for testing that your connection works, not ideal for daily use.

Mode 2

Direct (直连)

Nothing goes through the VPN. Your connection is as if the VPN doesn't exist. Used for testing or temporarily bypassing the VPN.

Mode 3 — The one you want

Rule / Auto (规则模式)

Traffic is routed based on rules. Blocked sites → VPN. Domestic sites and banking → direct. This is what split tunneling looks like in practice, and it's the default recommended mode for daily use.

Split tunneling in Shadowrocket (iOS)

Shadowrocket is the standard iOS client for Xray Reality connections. Its routing system is clean and powerful once you understand the three sections.

Setting the global mode

Open Shadowrocket → tap the globe icon at the bottom → select Rule. This activates rule-based routing. Everything else you configure here builds on this foundation.

Adding rules manually

Go to Config → Edit Configuration → Rules. You'll see a list of rules evaluated top to bottom. The first matching rule wins.

The most useful rule types:

DOMAIN-SUFFIX,google.com,PROXY — all Google domains go through VPN
DOMAIN-SUFFIX,sberbank.ru,DIRECT — Russian banking apps bypass VPN
GEOIP,CN,DIRECT — all Chinese IPs connect directly (faster for local services in China)
GEOIP,RU,DIRECT — same for Russian domestic traffic
FINAL,PROXY — everything not matched by a rule above goes through VPN

Using a ruleset (recommended)

Instead of adding rules one by one, Shadowrocket supports importing full rulesets. The most useful ones for our use case:

For China users: The RULE-SET,https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/ChinaDomain.list,DIRECT ruleset covers hundreds of Chinese domestic domains automatically.
GeoIP database: Shadowrocket includes a built-in GeoIP database — GEOIP,CN,DIRECT works out of the box.

One thing to watch: If you have banking apps or payment services on your phone, add them as DIRECT rules. Banks often block logins from foreign IP ranges, and your VPN server will look like one. Adding DOMAIN-SUFFIX,yourbank.com,DIRECT takes 10 seconds and prevents the problem entirely.

Split tunneling in v2rayN (Windows)

v2rayN is the standard Windows client for Xray connections. Its routing is configured differently — through a JSON routing config — but the logic is identical.

The three routing modes in v2rayN

In v2rayN, go to Settings → Routing Settings. You'll see a dropdown with predefined rule sets:

Bypass LAN and mainland China — routes Chinese domestic traffic and local network directly, everything else through VPN. This is the correct setting for most users in China.
Bypass LAN — only local network bypasses VPN. All internet traffic goes through the tunnel.
Global — everything through VPN.

For Russia: select Bypass LAN and add specific Russian domains manually, or use the custom routing option.

Custom routing rules in v2rayN

Click Custom routing to open the rule editor. Rules follow this structure:

{
  "outboundTag": "direct",
  "domain": [
    "geosite:cn",
    "domain:sberbank.ru",
    "domain:gosuslugi.ru"
  ]
},
{
  "outboundTag": "proxy",
  "domain": [
    "geosite:google",
    "geosite:telegram"
  ]
}

The geosite:cn entry covers thousands of Chinese domains automatically. geosite:google does the same for Google services. These are maintained databases that update separately from v2rayN itself.

Split tunneling in the Xray server config (advanced)

Everything above is client-side routing — you decide on your device what goes where. But you can also configure routing on the server itself.

This is rarely needed for personal use. The main scenario is when you want to block specific traffic from leaving your server entirely — for example, preventing torrents or certain services from using your VPS bandwidth.

In your config.json on the server, the routing section looks like this:

"routing": {
  "rules": [
    {
      "type": "field",
      "ip": ["geoip:private"],
      "outboundTag": "blocked"
    },
    {
      "type": "field",
      "domain": ["geosite:category-ads-all"],
      "outboundTag": "blocked"
    }
  ]
}

The blocked outbound drops matching traffic. This is how you block ads at the server level or prevent connections to specific IP ranges.

For RouteVeil clients: Your server config is already optimized. Client-side routing in Shadowrocket or v2rayN is all you need to configure split tunneling for your specific situation. We're happy to help via Telegram if you want a custom ruleset for your country.

The practical recommendation

Here's what to actually do, depending on your situation:

You're in China using Shadowrocket

Set mode to Rule. Add GEOIP,CN,DIRECT to keep domestic traffic fast. Add FINAL,PROXY as the last rule. Everything blocked by the Great Firewall goes through your server; everything domestic stays fast.

You're in Russia using v2rayN

Select Bypass LAN routing. Add domain:gosuslugi.ru, domain:sberbank.ru, and your banking apps to the direct rule. Add geosite:telegram to the proxy rule. Done.

You want to route specific apps only

This is the cleanest setup for iOS. In Shadowrocket, go to Config → Edit Configuration → Proxy Groups and create a group that only activates for specific domain suffixes. Your work apps go through VPN; your local food delivery app doesn't.

Need a custom routing config for your country and apps? We set this up as part of the standard installation — or help you adjust it afterwards via Telegram.

Message us on Telegram →