This article explains the process of using and managing Split Tunneling on the Agent Configuration -> Tunnel Configuration page. Split tunneling allows custom rules based on a user, team, or tag to route client traffic through the VPN or the internet based on IP address or domain name.

Configuration Steps

1. Go to Timus Manager -> Agent Configuration and click the Tunnel Configuration tab.
2. Click the Create New button.

3. Configure your split tunnel rules using the following fields:

• Title: Name the tunnel rule. It may indicate the intended use.
• Tunnel Mode:
  • Through Internet: Traffic bypasses the VPN and uses the local ISP IP address.
  • Through VPN: Traffic is routed through the Timus Connect Application and Timus Gateway.
• Source: Select users, teams, or tags to define who the rule applies to.
• Destination: Choose an IP address, CIDR range, or domain name.
  
  

Important Considerations

• Default Behavior: By default, all users and teams route their traffic through the Timus VPN unless a "Through Internet" rule is specifically defined.
• Protocol Support:  Split tunneling is fully supported on Windows and macOS when using the both WireGuard and OpenVPN protocol.
• Mobile & Browser Constraints:
  • IP-based split tunneling is currently available for mobile operating systems (Android/iOS) as long as the tunnel protocol is OpenVPN
  • Domain-based split tunnelling is current unavailable for mobile devices.
  • Browsers like Chrome or Safari utilize heavy caching. If you define a domain-based rule, you may need to clear the browser cache for the change to take effect, otherwise, the browser may continue using the previous path.
• macOS Limitations: macOS does not allow two different rules for the same IP address. If a conflict occurs between a domain-based rule and an IP-based rule that resolve to the same address, only one will be applied.
• DNS Protection: When defining Through Internet rules for IP ranges, do not include the Timus DNS addresses:
  • WireGuard: 192.168.249.1
  • OpenVPN: 192.168.255.1
  • Excluding these addresses from the tunnel will prevent the agent from resolving domain names.
• Shared Infrastructure (CDNs): Many platforms (Instagram, Facebook, WhatsApp) share the same data centers and IP addresses. Because the first matching rule in the hierarchy wins, traffic for one service may be routed incorrectly if it shares an IP with a higher-priority rule for a different service.
• Proxy Services: When multiple websites utilize proxy services such as CloudFlare to enhance their security and anonymity, it can potentially result in IP address conflicting within the Split Tunnel configuration. This is because certain proxy providers, like CloudFlare, allocate the same IP address to multiple websites. For instance, if you choose to route traffic for 'test.com' through the internet using CloudFlare as a proxy provider, and simultaneously select 'test2.com' to route through a VPN also utilizing CloudFlare, you may observe that 'test.com' goes through the VPN while 'test2.com' goes through the internet. Such routing discrepancies can arise from the shared use of a proxy service, leading to conflicts between the internet and VPN routes.
• Third-Party DNS: If using roaming DNS clients (e.g., ScoutDNS or Cisco Umbrella), you must create a split tunnel rule that excludes localhost from passing through the gateway to ensure proper name resolution.
• Restricted Domains: You cannot modify split tunnel configurations for domains belonging to Timus Networks.

Example of IP Conflict:

In the case above, WhatsApp traffic will go Through Internet because it shares an IP with Instagram, which is positioned higher in the priority list.

Rule Prioritization and Sorting

Split tunnel rules are processed in a top-down hierarchy. The order of the configurations on the tunnel configuration table determines their priority. When a traffic request is made, the system evaluates the list from the top; the first configuration that matches the Source (the specific User, Team, or Tag) is the only one applied, and all subsequent configurations are ignored.

Updated April 29, 2026 14:43