When a remote user connects, do you route all their internet traffic through the corporate network, or only traffic destined for internal resources? This decision impacts performance, security, and user privacy.
Full tunneling forces all endpoint traffic (including internet browsing) through the corporate VPN. This allows the enterprise to inspect outbound traffic for malware, enforce web filtering, and prevent data exfiltration from the endpoint.
💡 Pro-tip: Full tunneling is mandatory for compliance in many regulated industries, as it ensures the endpoint cannot be used as a bridge to bypass corporate security controls.
This routing table shows the default gateway is the VPN interface (utun0), meaning all internet-bound traffic is being forced through the corporate tunnel.
Split tunneling only routes internal corporate traffic through the VPN, sending internet traffic directly to the user's local ISP. This improves performance and reduces corporate bandwidth costs but leaves the endpoint vulnerable to local network attacks.
⚠️ Split tunneling creates a massive security gap if the endpoint is compromised. An attacker on the user's home Wi-Fi can use the VPN tunnel to pivot directly into the corporate network, bypassing edge firewalls.
| Mode | Routing | Security Risk |
|---|---|---|
| Full Tunnel | All traffic via VPN | Low (Centralized inspection) |
| Split Tunnel | Corp traffic only | High (Bypasses edge controls) |
| Inverse Split | Internet via VPN | Medium |
Verify exercises to earn ★ 200 XP and unlock next lab level.