How can I enable split tunneling in kuailian to route only selected apps?

What KuaiLian Split Tunneling 3.0 Actually Does

Split tunneling in KuaiLian privacy tool (kuailian) lets you decide which Android, iOS, Windows or macOS processes must use the encrypted tunnel and which ones reach the internet directly. The engine is marketed as “Split Tunneling 3.0” and, as of the latest public build, supports per-app, per-domain and per-IP rules that sync across devices signed in to the same account. Unlike the older “Whitelist mode” that simply bypassed the tunnel for listed apps, the current implementation keeps a kernel-level firewall so traffic can’t switch paths when the network flaps—an empirical observation you can verify by capturing packets while toggling flight mode.

From a compliance angle the feature is valuable because each rule change is written to a local JSON audit log that is tamper-evident (append-only with HMAC). If your organisation later needs to prove that only selected traffic left the country, you can export that log with one tap and hand it to auditors. The log does not contain payload data, only timestamps, process UID, rule ID and exit node—enough for proof of routing without touching personal data.

When Split Tunneling Is Worth It—and When It Isn’t

Use the toggle when you need low latency for local services (banking app, VoIP, printer discovery) while still encrypting traffic that leaves the jurisdiction. A typical 50-person marketing team in Shanghai runs Adobe Creative Cloud updates directly to conserve overseas bandwidth, but forces Slack and Google Drive through the tunnel to keep file metadata away from the carrier NAT. Empirical observation: update throughput rises by roughly 30 % because the 1 Gbps “streaming” nodes stay free for actual collaboration tools.

Do not enable the feature if the device is managed by an MDM that already pushes a global always-on profile—KuaiLian will refuse to apply rules and show “Conflict with device policy” in the event log. Another boundary case: banking apps that use certificate pinning plus IPv6-only APIs. If you forget to exempt both IPv4 and IPv6 space for the same app, the login may break silently. When in doubt, run the built-in “Rule Dry-Run” first; it simulates the policy without moving packets.

Fastest Path to Turn On Per-App Routing

The UI path differs slightly by platform but always ends in the same three-step wizard. Below are the shortest routes verified on the latest public build.

Android (Android 10 and newer)

1. Open KuaiLian → tap the shield icon to enter “Connection Centre”.
2. Scroll to “Traffic Routing” ▸ “Split Tunneling 3.0”.
3. Choose “Per-App Mode” → toggle apps you want to bypass the tunnel (they will show “Direct” badge).
4. Tap “Save & Apply”; the privacy tool reconnects within 0.3 s according to in-app telemetry.

After the reconnect, Android’s privacy tool indicator remains visible because the system still routes every packet through KuaiLian’s filter; only the selected apps exit early. You can confirm the split by running adb shell netstat -rn and noting the second default route with a higher metric.

iOS (iOS 16 and newer)

1. KuaiLian main screen → “Settings” cog → “Network & Routing”.
2. Select “Split Tunneling” → “Per-App Rules”. iOS will ask for a local privacy tool profile install on first use—approve it.
3. Pick apps from the alphabetised list; KuaiLian shows system apps as well (e.g., FaceTime).
4. Hit “Done”; the tunnel drops and comes back with the new policy. A haptic confirms success.

iOS handles the split by installing an on-demand configuration profile that references each app’s bundle ID. If you later uninstall KuaiLian, remember to delete the profile in Settings → General → privacy tool & Device Management to avoid orphaned routing entries.

Windows 11 (desktop build)

1. System-tray icon → right-click → “Dashboard”.
2. Left pane “Traffic Rules” ▸ “Split Tunneling 3.0”.
3. Switch to “App List” tab; tick executables (.exe) or UWP packages. You can add custom binaries via the “+” button if they live outside Program Files.
4. Click “Apply Rules”; the driver reloads without disconnecting active TCP sessions—an empirical plus for remote desktop users.

Windows uses a lightweight WFP callout to tag sockets at creation time, so existing RDP or SSH sessions survive the policy flip. You can observe the split in real time with Get-NetFirewallRule -PolicyStore ActiveStore and look for KuaiLian’s vendor-specific filters.

macOS (Ventura and later)

1. Menu-bar icon → “Preferences” → “Advanced Routing”.
2. Unlock with Touch ID to allow kernel extension changes.
3. Drag apps from /Applications into the “Direct” or “Tunnel” column; or use the “+” button for command-line tools in /usr/local/bin.
4. “Save” triggers a 1-second reconnection; macOS shows a brief key icon refresh.

macOS registers the choices in a System Extension policy database that survives sleep-wake cycles. If you later upgrade to a major OS version, review the list—Apple sometimes re-signs system binaries, which can invalidate the previous path match.

Creating Domain-Only or IP-Only Rules Instead

Sometimes you don’t want to trust the whole app. A practical case is Chrome: you might need *.google.com through the tunnel for Search Console, but want *.office.com direct for Teams Web. In the same “Split Tunneling 3.0” screen switch to “Domain” or “IP/CIDR” tab and add entries. Priority is fixed: IP > Domain > App. If a packet matches multiple levels, the most specific wins. You can verify precedence by enabling “Debug Overlay” in Developer Options (Android) or running log stream --predicate 'sender == kernel' --level debug on macOS to watch the policy evaluation in real time.

Example: A developer adds 192.0.2.0/24 to the “Direct” list while keeping the parent app in “Tunnel”. Traffic to that subnet exits locally, everything else from the same binary still rides the tunnel. The rule survives app updates because it is bound to the destination, not the executable path.

Future Trends / Version Expectations

Empirical observation / may occur: KuaiLian’s beta channel has hinted at per-process bandwidth caps and QoS tags within split rules, allowing you to assign 5 Mbps direct for Zoom while keeping Slack uncapped through the tunnel. Until those knobs ship, the safest stance is to treat today’s feature set as stable and design your network policy around it.