[Update on April 16, 2024] Following a fix of the issue that prompted this post, split tunneling was restored to all Windows versions, and cybersecurity firm Nettitude has since conducted a security audit on our Windows apps to verify the remediation of the DNS issue related to split tunneling. Learn more and read the full report.
ExpressVPN’s engineers have quickly deployed a fix to our Version 12 app for Windows, thanks to a tip from a reviewer that something might be amiss with how the app handles DNS requests for users who have split tunneling activated.
Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET, notified ExpressVPN that he had observed DNS requests on his Windows machine weren’t being directed to ExpressVPN’s dedicated servers, as expected. This occurred when he had activated split tunneling, which limits which apps send their traffic through the VPN.
Although the issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows, ExpressVPN rolled out an update that disabled split tunneling on that platform entirely, to minimize the potential ongoing risk to customers. The feature will remain deactivated while engineers investigate and fix the problem.
We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected.
What should happen
When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server. But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider, or ISP. This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior. All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.
If you’re a user of the Version 12 app for Windows, you should upgrade to the latest app if your app has not already updated automatically. Split tunneling will return to Version 12 as soon as engineers are confident that the DNS issue has been resolved. [Editors Note: A previous version of this article encouraged people who needed split tunneling to install V10. Instead, we now recommend waiting for the next release of Version 12, which will be shipping soon.]
For more details on our response to this incident, please consult our FAQ in the Support Center.
A word of thanks
ExpressVPN is extremely grateful to our extensive community of customers, beta testers, and experts who take the time to notify us of potential issues or to suggest improvements in our products. We invite anyone interested to join our beta testing program, and we offer a generous bug bounty to security researchers who report problems, no matter how small, that allow us to make our apps safer and better for all our users around the world.
Take the first step to protect yourself online
30-day money-back guarantee
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Comments
I have an ExpressVPN subscription and also using (for work) an Azure Client VPN configured for an Azure P2S private network access? Before the fixing of this issue they worked fine side to side (split tunneling in ExpressVPN of the Azure VPN Client app) …..after the fix I cannot access Internet when I start Azure client (and ExpressVPN is already running), DNS configuration seems not to properly function anymore. Is ExpressVPN still configurable to use them both in parallel, is there a way to fix the problem? Some help (how to do it steps) would be really appreciated. Thank you.