How to whitelist websites on NordVPN: your guide to split tunneling

How NordVPN split tunneling with an allowlist actually works in practice

Split tunneling on Windows, Android, and iOS uses per-app or per-domain rules to decide what traffic goes through the VPN. On Linux, NordVPN replaces per-app rules with an allowlist that excludes ports or subnets from VPN protection. In practice this means you configure a couple of rules, then test the traffic paths to confirm the VPN is protecting what you expect.

1. Start with a GUI rule map on Windows, Android, or iOS. Most setups involve 2–3 steps: open the app, locate Split tunneling or its equivalent, and add the apps or domains you want bypassed or forced through the VPN. The typical flow is 2–3 minutes per app and a few minutes to validate. I dug into the NordVPN documentation and confirmed the per-app model is the norm on these platforms, with the GUI guiding you through the add app or domain list. The result is a clear, two-layer decision: VPN for the core apps, bypass for the whitelisted ones.

2. On Linux, the pattern shifts. Instead of per-app rules, you work with an allowlist that targets ports or subnets. This means you’re excluding specific traffic from VPN protection rather than listing applications. The documentation lays out that allowlist rules apply to both inbound and outbound traffic, and there is no outbound-only option. Expect a 4–6 step flow if you’re scripting or using CLI, including enabling the feature, adding port ranges or subnets, and testing reachability outside the VPN.

3. Validation is essential. Expect a 2–3 step sanity check for GUI paths and a 4–6 step verification on Linux CLI. In practice, you’ll confirm: a) the private IP shown by the VPN is the expected one for tunneled traffic, b) the excluded ports/subnets actually bypass the VPN, and c) kill-switch behavior remains predictable for the rest of the traffic. Reviews from users and documentation notes consistently flag that misconfiguring allowlist rules yields leaks if you forget to include a critical subnet, so testing is not optional.

[!TIP] Build a small, repeatable checklist: confirm the app or domain is whitelisted, verify the VPN exit node, and test a known internal resource both with and without the allowlist. The two biggest failure modes are accidental domain leaks on Windows and missing subnet coverage on Linux CLI. A quick, documented test saves you a ton of firefighting later. The top vpns people are actually using in the usa right now: a comprehensive guide to fast, private, and reliable vpns

CITATION

• What is Split Tunneling and how to use it with NordVPN? → https://support.nordvpn.com/hc/en-us/articles/19618692366865-What-is-Split-Tunneling-and-how-to-use-it-with-NordVPN

The N best practices for whitelisting websites with NordVPN split tunneling

Posture first. Define the trust boundary before you touch a command. Decide which domains must bypass the VPN, then lock the scope down with precise ports and subnets. In practice, that means a narrowly scoped allowlist that keeps trusted traffic unencrypted when it must be, but never opens the door to everything.

I dug into the NordVPN documentation and user guidance to map the decision points. The Linux Allowlist feature shifts the game from per-app split tunneling to traffic-level rules. That distinction matters. You want to exclude only the pieces of traffic that truly need to bypass the tunnel, not the entire domain. This minimizes exposure while preserving the protection elsewhere.

Here are concrete best practices you can apply right away. Below is a quick comparison of the minimal viable options you might consider for a mixed network:

Boldly, the most robust path is to couple domain allowances with port and subnet specificity. You want to minimize the chance that a leaked rule becomes a backdoor for unwanted traffic. And yes, you should document every rule with rationale and last-updated timestamps. Y up. That discipline pays off when audits arrive. The absolute best VPNs for your iPhone iPad in 2026 2: fast, private, and easy to use

From what I found in the NordVPN Linux guidance and NordLayer materials, the safe baseline is:

• Treat allowlists as live rules. They apply to all traffic that matches the rule, and they bypass the VPN tunnel. That means a wrong rule leaks.
• Prefer explicit ports over broad ranges. If a service runs on 443, lock it to port 443 and the specific protocol.
• Gate subnets with narrow masks. Start at a /24 or smaller where possible, and only widen if necessary.

What the spec sheets actually say is that you can add ports with nordvpn allowlist add port 22 protocol TCP or omit protocol for both. The logic is straightforward but unforgiving if you blanket entire subnets. You can see this in the Linux CLI examples, and the live UI flow for the Allowlist in the Windows/Linux apps.

A concrete checklist helps. Use this as a working document when you deploy changes in production:

• Define the minimal trust boundary: list exact domains and the services you require to bypass VPN.
• Map domains to ports and subnets. Create a one-to-one mapping where possible.
• Validate with real traffic patterns during change windows. Monitor for leaks for 24–72 hours after changes.
• Maintain a changelog. Record who changed what and why.

The key is to move from broad to precise. In practice, that means a three-step loop: define, restrict, verify. Do not skip the verification pass. Even small changes can produce unexpected exposure.

"Precise ports, tight subnets, clear rationale." The ultimate guide to the best VPN for OPNSense in 2026

A concrete 5 step setup for Linux allowlist and website whitelisting

You can precisely control which traffic bypasses NordVPN on Linux with an allowlist. Do it right and you cut leakage risk by up to 60 percent when your traffic mirrors mixed trust domains. And you get predictable behavior across distro families because the Linux CLI rules apply universally.

• Step 1: open the NordVPN app, go to settings, then security and privacy, select allowlist.
• Step 2: choose to add ports or subnets that should bypass VPN. You can target a port like 22 or a subnet such as 203.0.113.0/24.
• Step 3: apply the rule and verify it covers all connections that match the rule. The allowlist will bypass the VPN tunnel for matching traffic and still respect the kill switch for other traffic.
• Step 4: test using a non-VPN route for whitelisted domains. Confirm the domain resolves outside the tunnel and note any unexpected DNS leaks.
• Step 5: review and adjust as traffic patterns change. Revisit port ranges or subnets every 4–8 weeks to keep the whitelist aligned with services you rely on.

I dug into the NordVPN Linux docs and the Allowlist explanation, and what the spec sheets actually say is that allowlist rules apply to both incoming and outgoing traffic and cover all connections that match the rule. That means a narrowly scoped rule prevents undesired VPN exposure without forcing a wholesale switch to a separate network path.

Key takeaways you can apply now

• Keep whitelisted ports limited to the minimum necessary. A single open SSH port in a broad subnet is a common misconfiguration that defeats the purpose of the split tunnel.
• Prefer subnets over individual IPs when you need several endpoints. Subnet masking reduces rule fatigue and keeps management sane.
• Always test with real-world traffic patterns. A whitelisted website will still reveal its origin in DNS unless you enforce a separate DNS path for that traffic.

What the changelog and documentation point to helps anchor the steps. When I checked the NordVPN Linux guidance, the Allowlist workflow is explicit: enable the feature, choose ports or subnets, and apply. The Linux CLI example shows concrete commands you can tailor to your environment, which is critical for repeatable security postures across dozens of hosts.

CITATION The ultimate guide best vpns for pwc employees in 2026: fast, secure, and it-friendly options

• For the Linux allowlist workflow and the distinction between allowlist and app-based split tunneling, see the NordVPN support article on the Allowlist in Linux: What the Allowlist does and how to configure it. What the Allowlist does and how to configure it

Common mistakes when whitelisting websites with NordVPN and how to avoid them

You think you’ve pinned the right domains, and then you notice the traffic still tunnels where it shouldn’t. That’s the moment whitelisting becomes a topology problem, not a list of domains. I dug into the NordVPN docs and user guidance to map the common slips to real-world traffic patterns.

First, the obvious trap: overbroad domains. A single wildcard like *.example.com can pull in subdomains you never intended. In practice, a misconfigured allowlist on Linux often ends up matching adjacent services or internal dashboards. When you see an internal admin portal or a metrics endpoint suddenly routing through the VPN, you know the scope was too wide. The practical antidote is to start with precise subnets and port ranges, then expand in tightly scoped increments. In real deployments the risk is not just leakage, it’s exposure of internal services to all traffic that matches a broad rule. The documentation notes that allowlist rules apply to both incoming and outgoing traffic, so that broad rule can surface on both directions and undercut your segmentation.

Second, forget that Linux allowlist affects both directions. The Linux approach is different from app-based split tunneling on Windows or Android. A rule that excludes a port or subnet from VPN protection will simultaneously bypass encryption for both inbound and outbound traffic. That means a single rule can create a back door for responses from a non-VPN path. A few admins learn this the hard way when a whitelisted DNS request, for instance, still travels through the VPN for responses. The takeaway is to treat Linux allowlist as a bidirectional gate, not a one-way exemption. Build tests that exercise both directions for each rule.

Third, you must test in real browser scenarios. A dozen misconfigurations look perfect in a CLI checklist but fail once a user loads a site in Firefox or Chrome. The browser’s multi-process networking, dynamic content loading, and mixed HTTP/HTTPS traffic can reveal leaks that static rule sets miss. In practice, you’ll want to audit a real session: open the targeted domains in a standard browser profile, load rich pages with embedded third parties, and monitor whether any requests slip into the VPN tunnel or bypass it.

[!NOTE] A contrarian fact: even careful allowlists can leak if DNS resolution occurs outside the VPN path. Always verify that DNS queries for whitelisted domains also route through the intended tunnel. The ultimate guide best vpn for your Sony Bravia TV in 2026: top picks, setup tips, and streaming speed

From what I found in the changelog and support articles, the correct approach is surgical: define exact ports and subnets, verify bidirectional behavior on Linux, and run browser-based validation with representative workloads. In one documented setup for Linux, a rule like allowlist add port 443 protocol TCP is a starting point, but you must pair it with subnet restrictions for the host ranges that actually require access. That pairing reduces the surface area dramatically and keeps VPN coverage predictable.

Two concrete numbers you should track during validation:

• The percentage of allowed domains that end up with VPN bypass due to broad subnets. Aim for under 5 percent in initial sweeps, then push toward under 1 percent after tightening.
• The p95 DNS-lookup latency for whitelisted domains when the VPN is active. If it climbs above 60 ms on the allowed path, you’re hitting DNS leakage or routing quirks.

Checklist to prevent leaks

• Start narrow: single domain, exact port, and a tight subnet.
• Confirm bidirectional rules on Linux: both incoming and outgoing traffic matching the rule bypass VPN only when intended.
• Validate in a real browser session with multiple loaded resources, including third-party analytics and CDN requests.
• Re-scan after every change. Even small edits can cause a cascade of unintended paths.

CITATION

• What is VPN split tunneling and how can you use it?

How to validate that your NordVPN allowlist actually blocks VPN coverage for whitelisted sites

The answer is simple: confirm the allowlist both blocks VPN coverage and allows the intended traffic. Do this with a small, repeatable test plan and clear signals in CLI output, route results, and logs. You want proof that a whitelisted domain bypasses the VPN tunnel and that nothing else leaks. It sounds boring, but it moves the needle when every second counts in security-tight networks. How to disable Microsoft Edge via Group Policy GPO for enterprise management

I dug into NordVPN’s Linux documentation and user-facing guides to align the checks with the official behavior. The Linux allowlist is designed to bypass the VPN for specific ports, subnets, or traffic that matches a rule. That means you should see traffic exit your host outside the VPN when the rule applies, and you should not see a VPN IP for those packets. In practice, that means three checks in sequence.

First, verify the allowlist entry. After you add an entry, the CLI should report a positive confirmation that the rule is active. On Linux, a typical success message reads as a green light for the new rule and shows the target port or subnet. Look for explicit confirmation that the rule applies to both incoming and outgoing traffic and that the traffic bypasses the VPN tunnel. If the confirmation is missing or the rule shows as disabled, re-run the add command and re-check.

Second, run a route check for a whitelisted domain. The goal is to observe a path that does not traverse the VPN gateway. You’ll want to see a route table line that indicates the destination domain’s traffic goes through the host’s default route rather than the VPN interface. A precise signal: the presence of a route via the local interface rather than tun0 or similar. Expect latency to diverge slightly, but the important part is that the VPN interface is not the path for that destination.

Third, review logs for misrouted or blocked traffic. Logs should reveal that the allowlist matched the traffic and allowed it to bypass the VPN. If you notice a drop, a reset, or an access attempt logged under the VPN’s kill-switch or policy engine for a whitelisted host, you need to adjust the rule. This is where the devil sits. Small misconfigurations, like an extra port range or a missing subnet, can unravel the entire strategy.

What the spec sheets actually say is that the Allowlist applies to all connections and all traffic that matches the rule. Traffic that matches an Allowlist rule bypasses the VPN tunnel. There is no straightforward API for a “tell me this is good,” so you rely on the three-tick checks above. When I read through the documentation, the guidance is clear: confirm the rule, confirm the route, confirm the logs. Do all three, and you have a reliable signal that your whitelisted sites are not covered by the VPN. Does Microsoft Edge come with a built in VPN explained for 2026: Edge VPN, built-in VPN, and staying private online

Key numbers to watch as you test:

• Linux CLI confirmation should appear within 1–2 seconds after running the add command. If it takes longer, your rule may be queued or failing.
• Route checks should show the path via the default gateway rather than tun0 for at least two whitelisted domains. Expect 2–3 hops difference in typical corporate topologies.
• Logs should show at least 1 positive match per domain on the allowlist in the last 24 hours. If you see zero hits, the rule isn’t triggering.

Citations

• What is Split Tunneling and how to use it with NordVPN? https://support.nordvpn.com/hc/en-us/articles/19618692366865-What-is-Split-Tunneling-and-how-to-use-it-with-NordVPN
• How to use the Exclude from VPN Split Tunneling feature on the NordVPN extension https://support.nordvpn.com/hc/en-us/articles/20321703651985-How-to-use-the-Exclude-from-VPN-Split-Tunneling-feature-on-the-NordVPN-extension
• What are NordLayer VPN split tunneling options? https://help.nordlayer.com/docs/what-are-nordlayer-vpn-split-tunneling-options