Why Choose Astrill Smart Mode & Split Tunneling for Banking and Shopping

Here’s a scenario most VPN users have run into: you’re at home, VPN is on, and you try to log into your bank. Fraud alert. Or you open a local delivery app, and it thinks you’re in some city three time zones away. Nothing has gone wrong, technically. Your VPN is doing exactly what it’s supposed to do. It’s just doing it to everything, including things that don’t need it.

Astrill’s Smart Mode and split-tunneling tools are designed to fix that. The idea is simple: some traffic belongs in the encrypted tunnel, and some doesn’t. Smart Mode and the Application Filter let you decide where the line is, so your banking and local apps work as expected while the rest of your browsing stays private.

This guide covers how these features work, why banks and local services behave differently when a VPN is running, and how to set them up properly on any device.

Why Your VPN Causes Problems with Banks and Local Services

By default, a VPN routes all your traffic through an encrypted tunnel to a server somewhere else in the world. That server makes requests on your behalf, so websites see its IP address instead of yours. For most of what you do online, that’s exactly what you want.

Banks and local services are a different story.

The Banking Problem

Banks build their fraud detection around location patterns. If you normally log in from a home IP in Chicago and a login attempt suddenly comes from a data center in Amsterdam, the system flags it. Not because anything is wrong, but because that’s exactly what account takeovers look like.

Shared VPN servers make this worse. When hundreds of users share the same exit IP, that address accumulates logins across dozens of different banks. Fraud detection systems catch on quickly, and the IP address ends up being blocklisted. Perfectly normal users start hitting walls.

Different banks draw the line differently. Bank of America and Wells Fargo tend to block data center IP ranges outright. Chase is stricter about shared VPN IPs but usually tolerates dedicated static addresses. 

HSBC and UK banks like Barclays and Lloyds apply location-based verification tied to compliance requirements, so a foreign-looking IP can trigger reviews regardless of whether it’s a VPN. The bank isn’t wrong to be suspicious. Credential-stuffing attacks rely heavily on VPN infrastructure to hide their origins. The problem is that the system can’t tell you apart from the attacker.

Why Local Shopping Acts Weird on a VPN

Local platforms use your IP address to determine where you are. A regional delivery app might refuse to show restaurants near you because it thinks you’re in Berlin. A loyalty program might pull up the wrong pricing tier. A marketplace might show listings from another city entirely, or block checkout because your apparent location doesn’t match your billing address.

None of this is a reason to drop the VPN. It’s a reason to route those services differently.

What Astrill Smart Mode Actually Does

Smart Mode is Astrill’s most hands-off solution. It automatically routes local websites through your direct internet connection and sends foreign sites through the VPN tunnel. Your bank sees your actual residential IP address. International sites see the VPN. You don’t have to configure anything manually.

It mirrors how most people actually think about VPN usage: you want protection when browsing internationally, but local services should know where you are. Smart Mode just handles that split on its own.

How the Routing Decision Works

Smart Mode classifies sites as either local (within your country) or international and routes them accordingly. Local traffic goes directly. Foreign traffic goes through the tunnel. The logic runs in the background without any input from you.

When you access your bank, it sees a normal residential connection. When you browse a foreign site, your real IP stays hidden. Both things happen at the same time, with the same VPN session running.

Platform Availability

Smart Mode works on Windows, macOS, Linux, iOS, and Android. On iOS specifically, it’s the main routing tool available. Apple’s sandboxing prevents third-party apps from controlling other apps’ traffic at the system level, so the Application Filter that Android and desktop users can access isn’t an option there. Smart Mode picks up that role on iPhone and iPad.

Smart Mode in Censored Environments

For users in countries that block international sites, Smart Mode (sometimes called GFW Mode in those contexts) handles the split in the other direction. Blocked foreign content gets tunneled through the VPN. Local services, payment platforms, and apps that require a domestic IP stay on the direct connection. It keeps both sides working without requiring any toggling.

Astrill Split Tunneling: The Application Filter and Site Filter

Smart Mode covers the automatic case. For everything else, Astrill gives you manual control through the Application Filter and the Site Filter. These let you specify which apps or sites bypass the tunnel and which stay protected.

If you want a deeper look at how split tunneling works under the hood, the Astrill blog’s guide on VPN split tunneling has a solid breakdown of the mechanics. This guide is focused on the practical setup side of things.

Application Filter: Control by App

The Application Filter lets you decide, per app, whether it uses the VPN. There are three modes:

• Tunnel all apps is the default. Everything goes through the encrypted tunnel.
• Tunnel only these apps’ routes, just the apps you specify through the VPN, and everything else connects directly. Useful if you only need VPN protection for a few things.
• Excluding these apps keeps the VPN running for everything except the apps you add to the list. This is the most common setup for banking and local services. The Application Filter is available on Windows, macOS, Linux, and Android. iOS users rely on Smart Mode instead.

Site Filter: Control by Domain or IP

The Site Filter works the same way but at the website level. The available modes include Tunnel all sites (default), Tunnel only these sites, Exclude these sites, and Tunnel only international sites, which replicates Smart Mode’s logic for protocols where Smart Mode isn’t natively available.

One thing to know: on protocols other than OpenWeb, the Site Filter works with IP addresses rather than domain names. You’ll need to look up the IP for any site you want to exclude. On OpenWeb, you can just enter the domain directly, which is easier to work with.

Supported Protocols

Split tunneling works across OpenVPN, StealthVPN, WireGuard, and OpenWeb. StealthVPN is worth knowing about if you’re in a country that actively blocks VPN traffic. It adds an obfuscation layer on top of OpenVPN so the connection doesn’t appear to be a VPN, and it keeps all the same split-tunneling features. WireGuard handles selective routing cleanly through its Allowed IPs configuration.

Setting Up for Online Banking

The right setup depends on how you bank and what device you’re on. Here’s how to do it on each platform.

Desktop: Windows, macOS, Linux

Option A: Exclude your banking app (recommended if you use a dedicated app)

1. Open the Astrill app and go to Settings.
2. Click Application Filter.
3. Switch the mode to Exclude these apps.
4. Click Add and select your banking application from the list.
5. Click OK. Your bank now sees a normal connection, and everything else stays tunneled.

Option B: Exclude your bank’s domain (better if you bank through a browser)

1. Open Astrill, then go to Settings> Site Filter.
2. Set the mode to Exclude these sites.
3. Run a quick ping or DNS lookup on your bank’s URL to get its IP address.
4. Enter that IP in the exclusion list and click OK.
5. This keeps only your bank’s traffic on the direct connection while the rest of your browsing stays in the tunnel.

Android

1. Open the Astrill app and go to Settings.
2. Tap App Filter.
3. Set it to Exclude these apps.
4. Select your banking app from the list and tap OK.

That’s usually all it takes. If your bank’s app is still flagging the connection, adding a dedicated IP from Astrill on top of this fixes it in most cases. Dedicated IPs look like a consistent residential connection rather than a shared VPN exit node, which is what fraud detection systems care about.

iPhone and iPad

1. Open the Astrill app and go to Settings.
2. Enable Smart Mode.
3. Connect to your preferred server.

Smart Mode automatically handles routing on iOS. Your banking app and other local services connect directly, while international traffic stays tunneled. You won’t get per-app granularity like on Android, but for everyday banking, it covers the common cases without any extra steps.

When to Use a Dedicated IP

If you regularly access your bank while Astrill is running, a dedicated IP is worth considering. Shared VPN IPs get flagged because hundreds of users are routing through them at once, and eventually those addresses end up on bank blocklists. A dedicated IP is yours alone, so it builds a clean history with your bank’s security systems rather than inheriting someone else’s baggage.

Setting Up for Local Shopping

The core issue with local shopping is the same as with banking: your VPN IP doesn’t match your location, and local platforms use location data to decide what you see and whether your transaction goes through.

Delivery Apps and Regional Marketplaces

For most local delivery and marketplace apps, Smart Mode handles it automatically. The app sees your real location, loads the right results, and checkout works. If you’re on a platform or protocol where Smart Mode isn’t available, add the app to your Application Filter exclusion list, and it connects directly while everything else stays protected.

Pricing, Loyalty Programs, and Geo-Targeted Content

Many e-commerce platforms charge different prices and offer different product availability depending on where they think you’re browsing from. Sometimes a foreign IP works in your favor; often, it doesn’t, especially if you’re redirected to the wrong regional version of a site or see products that don’t ship to your area. Keeping local shopping sites outside the tunnel makes sure the platform is actually serving you the right content.

Loyalty programs that tie your rewards or membership to your location tend to perform better when they recognize a residential IP address that matches your account.

Payment Processors and Checkout

This is where many VPN users run into unexpected friction. Your billing address says one country, your IP says another, and the payment processor’s fraud system blocks the transaction before it even reaches the merchant. 

Routing shopping sites or just their checkout domains through your direct connection removes that mismatch entirely. Use the Site Filter’s Exclude mode on any platform where you’ve encountered checkout issues.

Is Split Tunneling Safe? The Real Tradeoffs

Split tunneling doesn’t automatically make your setup less secure, but it does change which traffic is protected and which isn’t. That’s worth understanding clearly.

What Gets Protected and What Doesn’t

Traffic you’ve routed outside the VPN tunnel doesn’t have Astrill’s encryption, so your real IP is visible to that destination. For your bank or a grocery app, that’s fine and intentional. But on an untrusted public Wi-Fi network, anything outside the tunnel is potentially exposed to other people on the same network.

In practice, this means your home setup is appropriate for everyday use. At an airport or coffee shop, be more conservative about what you exclude. Banking apps use HTTPS regardless of the VPN, so your credentials are still encrypted, but there’s a broader principle here: the fewer things you expose on public networks, the better.

DNS Leaks

A detail that doesn’t get enough attention: even when an app is routing outside the VPN tunnel, its DNS queries might still go through Astrill’s DNS servers, or they might not. If they leak to your ISP, your ISP can see which domains you’re resolving, even if the traffic itself is encrypted.

Astrill handles DNS leak protection for tunneled traffic. For excluded traffic, DNS behavior depends on your system settings. On Windows, excluded apps typically use your ISP’s DNS unless you’ve set up a custom resolver. Pointing excluded traffic at something like Cloudflare’s 1.1.1.1 at the router or system level is a reasonable extra step if this is a concern.

The Kill Switch and Excluded Traffic

Astrill’s kill switch cuts your internet connection if the VPN drops, so your real IP doesn’t leak during a disconnect. For split tunneling specifically, the kill switch protects traffic that’s supposed to go through the VPN. Apps you’ve excluded aren’t affected by it, because they were always going direct. That’s the correct behavior. If you’ve excluded your banking app, you want it working even when the VPN hiccups.

Avoiding Misconfiguration

The main thing to watch out for is accidentally excluding something you meant to protect. If you add the wrong app to the exclusion list, its traffic goes unencrypted without any warning. Audit your list occasionally, especially after Astrill updates. And when you’re unsure whether a service actually needs to be excluded, test it with the VPN fully active first. Many services that block VPN traffic actually work fine.

Smart Mode vs. Manual Split Tunneling: Which One Should You Use

Use Smart Mode When

Smart Mode is the right default for most people. If your main goal is making sure banking and local services work while keeping your international browsing private, it handles that automatically. No IP lookups, no exclusion lists to maintain. It just routes things correctly on its own.

It’s also the go-to on iOS since per-app filtering isn’t available there, and it’s the right call in censored environments where you need local services on a direct connection and foreign content tunneled automatically.

Use Manual Split Tunneling When

Manual control is better when your situation doesn’t neatly fit into local or international. You may need a specific international service to bypass the VPN, since it blocks VPN traffic. You may want different browsers to behave differently. The Application Filter and Site Filter handle those edge cases.

The two approaches also work together. On a desktop, you can run Smart Mode as your baseline and layer on Application Filter or Site Filter rules for anything that needs a more specific configuration. That combination covers most scenarios without much maintenance.

Common Scenarios and How to Handle Them

You’re Traveling and Can’t Access Your Bank

The VPN is running, but your bank is blocking access or repeatedly prompting for verification. On desktop or Android, open Astrill, go to Application Filter, switch to Exclude these apps, and add your banking app. Your bank will see your actual location (even if that’s abroad), but through a residential IP rather than a flagged VPN address. On iOS, Smart Mode handles this automatically.

A Local App Can’t Find Your Location

The delivery app is loading but showing the wrong city, or telling you delivery isn’t available. Your VPN IP is placing you somewhere else. Exclude the app through the Application Filter on Android or desktop. On iOS, Smart Mode should route it correctly if the service is classified as local.

You Want VPN Protection While Watching Local Streaming

Regional streaming services and local sports platforms need a domestic IP. A foreign VPN IP either blocks you or redirects you to the wrong regional version. Smart Mode automatically keeps local streaming on your direct connection. If you’re on a protocol where Smart Mode isn’t native, use Tunnel only international sites in the Site Filter.

A Payment Keeps Getting Declined

The billing address says one country, but your apparent IP says another. The payment processor blocks it. Exclude the shopping site through the Site Filter or Application Filter so it sees your real location. If it keeps happening, a dedicated Astrill IP address will address it more thoroughly, since dedicated IPs have better reputation scores with payment processors.

What Smart Mode Can’t Do

Smart Mode works at the domain classification level. It can’t route one specific international site through your direct connection while tunneling all other international traffic. For that, you need the Site Filter. Similarly, Smart Mode doesn’t make per-app distinctions. If you want one browser tunneled and another connecting directly, that’s Application Filter territory.

Smart Mode is also natively available on OpenWeb. If you’re running a different protocol and want the same behavior, selecting Tunnel only international sites in the Site Filter gives you the same result manually. One tradeoff worth noting: OpenWeb is proxy-based, with performance characteristics different from those of OpenVPN or WireGuard, so the right protocol choice depends on what else you’re optimizing for.

Enabling Smart Mode

1. Open the Astrill app and go to Settings.
2. Find Smart Mode and enable it. On OpenWeb, it’s listed directly. On other protocols, go to Site Filter and select Tunnel only international sites.
3. Connect to your server. Local sites now route directly automatically.

Application Filter: Exclude Specific Apps

1. Go to Settings and click Application Filter.
2. Set the mode to Exclude these apps.
3. Click Add, then select the apps to exclude (banking apps, delivery apps, local shopping apps).
4. Click OK. Changes take effect immediately.

Site Filter: Exclude Specific Sites

1. Go to Settings, then Site Filter.
2. Set the mode to Exclude these sites.
3. Enter the IP address for the site (or the domain name if you’re on OpenWeb).
4. Click OK. If you’re connected, Astrill will prompt a reconnect for the changes to apply.

Wrapping Up

Banks block VPN IPs because fraud looks like what you’re doing. Local services act up because your IP puts you somewhere you’re not. None of that is a reason to go without a VPN. It’s a reason to route smarter.

Smart Mode automatically splits local and international traffic without any setup. The Application Filter and Site Filter give you per-app and per-site control when you need something more specific. Use them together, and you get the best of both: your bank and local apps see the connection they expect, and everything else stays encrypted and private.

That’s really the whole point. A VPN should protect you without breaking what doesn’t need protection.

Was this article helpful?

Yes No