How to Set Up Per-App VPN on Android: Split Tunnel Setup & Exclusions (2026)

If you already installed a VPN on Android but do not want every packet leaving the phone through the tunnel, you are looking for split tunneling controlled at app granularity. That pattern goes by several names—per-app VPN, selective routing, VPN bypass list, or an inverse split where only checked apps use the VPN. The goal is simple: keep banking, local carriers, or smart-home panels on the ordinary path while still sending browsers, chat tools, or remote-work clients through the exit you trust.

This tutorial stays vendor-neutral on the outer chrome—Samsung, Pixel, and MIUI move menu labels—but the mechanics are consistent. Android exposes a VPN interface to your app; the VPN app decides which UIDs (applications) bind to that interface. You will learn the two polar policies (everything except exclusions vs only selected inclusions), how they interact with Always-on VPN and Block connections without VPN, and how to verify behavior instead of trusting a green checkmark. Nothing here encourages bypassing lawful blocks, geofencing contracts, financial fraud controls, or acceptable-use policies; treat split tunnels as a convenience and clarity tool, not a guarantee against enforcement elsewhere on the stack.

Write down which mode you picked—allowlist or denylist—before you invite friends to “just toggle something.” Debugging mystery routing weeks later is expensive, and screenshots of the app list beat memory every time.

Per-app rules sit on top of DNS behavior. If Assistant-backed features stall despite perfect checkboxes, resolver order often matters more than the toggle you just flipped. Start with Gemini Intelligence on Android Slow or Won't Sync? VPN & DNS Stability Guide (2026) when cloud AI clients exhibit odd sync rather than obvious disconnects. For agent-style automations that open many TLS sessions back-to-back, the stability notes in Gemini Agentic AI on Android Failing? VPN & DNS Stability Troubleshooting (2026) parallel what you see inside browsers—routing thrash and DNS misses look like “the model broke” even when the culprit is network state.

Vocabulary: split tunneling vs per-app lists

Full tunnel means all eligible app traffic that respects the VPN routes through it by default. Split tunneling relaxes that default—either by excluding specific applications (a bypass or denylist) or by including only a subset (an allowlist or inverse split). Some products label the same feature “LAN traffic allowed” or “only use VPN for selected apps”; read the fine print next to the switch because the opposite policy can look visually similar in screenshots.

Why vendors disagree on wording: the Linux routing table underneath is still “default via VPN” or “split exceptions per uid,” but marketing teams inherit terms from enterprise gateways. What matters on Android is whether your list defines exceptions to the VPN or the only apps that may use it. Mixing those mental models is how banking apps end up overseas while you believed you excluded them.

• Denylist / bypass list: VPN for everyone except ticked apps—useful when a handful of programs need the home ISP path.
• Allowlist / include-only: VPN for ticked apps only—useful when nearly everything should stay local and only two or three clients need the tunnel.
• Profile scope: Work profiles and secondary users carry separate app UIDs; rules set inside a personal VPN rarely touch isolated work apps unless the client explicitly supports the container.

Before you touch the toggles

Collect baselines so you can recognize regressions:

1. Disconnect the VPN and record your public IP from a reputable checker in the browser you use daily.
2. Reconnect with no per-app rules yet—confirm the same browser now shows the VPN exit.
3. Note whether Private DNS (Settings → Network → Private DNS) is Automatic, Off, or pointed at a hostname; split routing without aligned DNS frequently masquerades as “app broken.”
4. Check IPv6 on your LAN; some captive portals or residential ISPs behave differently once a tunnel removes IPv6 paths.
5. Update the VPN app from your manufacturer-approved store channel so the per-app feature set matches documentation.

If you stack multiple VPN or firewall apps, uninstall or fully disable overlays temporarily. Two fighting interfaces produce “sometimes bypass” symptoms that no single checklist explains.

Configure per-app routing inside the VPN client

The authoritative UI lives in your VPN application, not Android’s legacy VPN settings page (that screen mainly lists profiles and permissions). Typical navigation, ignoring exact labels: Settings → Split tunneling / App filter / Per-app VPN. Enable the feature, then pick the mode that matches your intent:

• For a bypass list, select apps that must not use the tunnel—mobile banking, regional streaming, peer-to-peer utilities you want on the direct path, or a carrier billing portal.
• For an allowlist, select only the apps that should use the tunnel—often a browser, a mail client, remote desktop, or research tools.
• If the client offers system apps separately, expand that group deliberately. Downloads provider, captive-portal helpers, or location stack components sometimes need to stay off the tunnel for sign-in flows.

After saving:

1. Fully disconnect VPN using the client’s main switch, wait five seconds, reconnect—many builds hot-apply lists; others only evaluate UIDs on fresh VPNService bindings.
2. If behavior looks cached, toggle airplane mode for a shorter reset than rebooting.
3. Reopen the app you expect to bypass from a cold start (swipe it away from recents) so it cannot reuse sockets spawned while the previous policy applied.

Document any “recommended” presets from your provider; some ship curated lists that pre-tick common financial clients. Treat those as starting points, not law—your household apps differ.

Android OS controls that interact with app lists

Two settings routinely confuse even careful readers:

• Always-on VPN: In Settings → Network & internet → VPN → gear icon for your profile, Android can force the VPN to reconnect. Helpful for persistence; occasionally awkward when you toggled split rules and expect instant teardown.
• Block connections without VPN: This is a kill switch. When enabled, Android blocks traffic that tries to exit without passing through the VPN interface. That can clash with bypass lists—depending on implementation, excluded apps may still need carefully crafted routing exceptions, or the OS may refuse mixed policies until you disable the kill switch. If bypassed apps suddenly show “no network,” test with the block toggle off while leaving Always-on on.

Mobile data saver, battery optimizations that freeze VPN background services, and OEM “auto manage apps” features can also revive stale policies after reboot. Whitelist the VPN app from aggressive sleep if reconnect loops erase your split list context on every resume.

Verify with observable signals

A checklist beats guessing:

1. Browser vs excluded app: Use a browser you route through the VPN to load an IP checker—confirm the exit country matches expectation. Then open an excluded browser (or the same browser in a duplicate profile if split logic is per-app) and recheck. Different IPs mean the bypass path works.
2. Transport-heavy apps: Voice or video clients should be tested on Wi-Fi and on cellular separately; some carriers insert HTTP proxies that confuse MTU-discovered tunnels.
3. DNS leaks conceptually: Even when IPs differ, Private DNS may still send queries globally. If sites load but localized panels mis-detect region, align Private DNS with what your VPN vendor documents—mirroring the guidance in our Gemini DNS article family.
4. Latency sanity: Ping or traceroute utilities are optional; many OEM builds hide them. A simple download smoke test in included vs excluded apps still reveals accidental full-tunnel regressions.

Keep test notes: date, APK versions, whether kill switch was on, and the exact mode (allow vs deny). Support teams need that matrix, not screenshots of half the screen.

When routing looks “almost right”

Iterate through narrow hypotheses:

• Stale connections: Long-lived QUIC sessions may ignore fresh uid rules until you force-stop the target app.
• WebView shells: Mini-browsers inside social or shopping apps sometimes carry a different package name than the host; tick both or verify inside the VPN app’s search field.
• Dual-SIM / eSIM: If one subscription demands direct routing for billing, exclude not just the portal app but any companion diagnostics it spawns.
• IPv6 leakage conceptually: If the tunnel suppresses IPv6 while an excluded app still prefers AAAA records, odd fallback timing can feel like random breakage; toggling tunnel IPv6 options—if exposed—tests that theory.

Clients that hide split tunneling behind paywalls—or bury lists under confusing double negatives—often push people toward “full tunnel everything,” which is fine until local latency-sensitive services misbehave. Conversely, blog posts that only explain desktop routing leave Android readers assuming the platform works like Windows, where per-process rules sometimes integrate differently with the system DNS stack. The gap shows up as intermittent name resolution or captive-portal loops that have little to do with the VPN brand and everything to do with mismatched assumptions about Private DNS and kill switches.

ClashVPN aims for a single coherent mobile story: connect once, understand whether you are in full tunnel or selective mode, and switch exits without guessing which ghost profile still owns the routing table. New accounts receive free traffic after registration, which is enough to rehearse bypass lists on real apps before you commit to heavier use. Pair that with a client that surfaces split tunneling plainly, and you avoid the ping-pong between “works in Chrome, fails in WebView” mysteries.

When you are satisfied with your verification checklist above, install or update from the ClashVPN download center—the same entry handles login and registration in one flow—and manage plans or account details anytime through your account area once split policies behave predictably day to day.