diff --git a/desktop/angular/projects/safing/portmaster-api/src/lib/netquery.service.ts b/desktop/angular/projects/safing/portmaster-api/src/lib/netquery.service.ts
index 9769d454..8824ff0d 100644
--- a/desktop/angular/projects/safing/portmaster-api/src/lib/netquery.service.ts
+++ b/desktop/angular/projects/safing/portmaster-api/src/lib/netquery.service.ts
@@ -4,7 +4,7 @@ import { Observable, forkJoin, of } from "rxjs";
 import { catchError, map, mergeMap } from "rxjs/operators";
 import { AppProfileService } from "./app-profile.service";
 import { AppProfile } from "./app-profile.types";
-import { DNSContext, IPScope, Reason, TLSContext, TunnelContext, Verdict } from "./network.types";
+import { DNSContext, IPScope, Reason, SplitTunContext, TLSContext, TunnelContext, Verdict } from "./network.types";
 import { PORTMASTER_HTTP_API_ENDPOINT, PortapiService } from "./portapi.service";
 import { Container } from "postcss";
 
@@ -162,6 +162,7 @@ export interface NetqueryConnection {
     blockedEntities?: string[];
     reason?: Reason;
     tunnel?: TunnelContext;
+    split_tun?: SplitTunContext;
     dns?: DNSContext;
     tls?: TLSContext;
   };
diff --git a/desktop/angular/projects/safing/portmaster-api/src/lib/network.types.ts b/desktop/angular/projects/safing/portmaster-api/src/lib/network.types.ts
index 35a75861..bdc56dcf 100644
--- a/desktop/angular/projects/safing/portmaster-api/src/lib/network.types.ts
+++ b/desktop/angular/projects/safing/portmaster-api/src/lib/network.types.ts
@@ -210,6 +210,13 @@ export interface TunnelContext {
   RoutingAlg: 'default';
 }
 
+export interface SplitTunContext {
+  // Interface is the name of the network interface the connection is bound to.
+  Interface: string;
+  // IP is the IP address used to bind the connection to the interface.
+  IP: string;
+}
+
 export interface GeoIPInfo {
   IP: string;
   Country: string;
diff --git a/desktop/angular/src/app/shared/config/config-settings.ts b/desktop/angular/src/app/shared/config/config-settings.ts
index 513e6c4b..30bbdba7 100644
--- a/desktop/angular/src/app/shared/config/config-settings.ts
+++ b/desktop/angular/src/app/shared/config/config-settings.ts
@@ -427,11 +427,16 @@ export class ConfigSettingsViewComponent
                   (s) => s.Key === subsys.ToggleOptionKey
                 );
                 if (!!toggleOption) {
-                  if (
-                    (toggleOption.Value !== undefined && !toggleOption.Value) ||
-                    (toggleOption.Value === undefined &&
-                      !toggleOption.DefaultValue)
-                  ) {
+                  // Determine the effective enabled state: per-app value takes
+                  // priority, then the globally-configured value (GlobalDefault),
+                  // and finally the hardcoded DefaultValue.
+                  const effectiveEnabled =
+                    toggleOption.Value !== undefined
+                      ? !!toggleOption.Value
+                      : toggleOption.GlobalDefault !== undefined
+                        ? !!toggleOption.GlobalDefault
+                        : !!toggleOption.DefaultValue;
+                  if (!effectiveEnabled) {
                     subsys.isDisabled = true;
 
                     // remove all settings for all subsystem categories
diff --git a/desktop/angular/src/app/shared/config/subsystems.ts b/desktop/angular/src/app/shared/config/subsystems.ts
index 97bdfab1..a6978dea 100644
--- a/desktop/angular/src/app/shared/config/subsystems.ts
+++ b/desktop/angular/src/app/shared/config/subsystems.ts
@@ -7,7 +7,7 @@ export interface SubsystemWithExpertise extends Subsystem {
   hasUserDefinedValues: boolean;
 }
 
-export var subsystems : SubsystemWithExpertise[] = [
+export const subsystems : SubsystemWithExpertise[] = [
   {
     minimumExpertise: ExpertiseLevelNumber.developer,
     isDisabled: false,
@@ -268,5 +268,30 @@ export var subsystems : SubsystemWithExpertise[] = [
       Deleted: 0,
       Key: "runtime:subsystems/spn"
     }
+  },
+  {
+  minimumExpertise: ExpertiseLevelNumber.user,  // User level since UI is user-facing
+  isDisabled: false,
+  hasUserDefinedValues: false,
+  ID: "splittun",
+  Name: "Split Tunnel",
+  Description: "Route traffic through specified interface to bypass default routing",
+  Modules: [
+    {
+      Name: "splittun",
+      Enabled: true
+    }
+  ],
+  ToggleOptionKey: "splittun/use",  // Links to the boolean enable/disable option
+  ExpertiseLevel: "user",
+  ReleaseLevel: 0,
+  ConfigKeySpace: "config:splittun/",
+  _meta: {
+    Created: 0,
+    Modified: 0,
+    Expires: 0,
+    Deleted: 0,
+    Key: "runtime:subsystems/splittun"
   }
+}
 ];
diff --git a/desktop/angular/src/app/shared/netquery/connection-details/conn-details.html b/desktop/angular/src/app/shared/netquery/connection-details/conn-details.html
index 73abd31f..3a78f435 100644
--- a/desktop/angular/src/app/shared/netquery/connection-details/conn-details.html
+++ b/desktop/angular/src/app/shared/netquery/connection-details/conn-details.html
@@ -255,6 +255,17 @@
     </ng-container>
   </div>
 
+  <div *ngIf="!!conn.extra_data?.split_tun">
+    <h3 class="text-primary text-xxs">Split Tunnel</h3>
+    <div *ngIf="conn.extra_data?.split_tun as splitTun" class="meta">
+      <span class="inline-flex items-center gap-1 flex-wrap">
+        <span class="text-secondary">This connection is forcibly routed through interface</span>
+        <span>{{ splitTun.Interface }}</span>
+        <span class="text-secondary">({{ splitTun.IP }})</span>
+      </span>      
+    </div>
+  </div>
+
   <div *ngIf="!!bwData.length" class="col-span-3 block border-t border-gray-400 py-2">
     <h2 class="text-secondary uppercase w-full text-center text-xxs">Data Usage</h2>
     <sfng-netquery-line-chart class="block w-full !h-36" [data]="bwData" [config]="{
diff --git a/service/firewall/packet_handler.go b/service/firewall/packet_handler.go
index 6e96cb28..bf13e56e 100644
--- a/service/firewall/packet_handler.go
+++ b/service/firewall/packet_handler.go
@@ -25,6 +25,7 @@ import (
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/network/packet"
 	"github.com/safing/portmaster/service/process"
+	"github.com/safing/portmaster/service/profile"
 	"github.com/safing/portmaster/service/resolver"
 	"github.com/safing/portmaster/spn/access"
 )
@@ -571,6 +572,11 @@ func FilterConnection(ctx context.Context, conn *network.Connection, pkt packet.
 	// Check if connection should be tunneled.
 	if checkTunnel {
 		checkTunneling(ctx, conn)
+
+		if conn.Verdict != network.VerdictRerouteToTunnel {
+			// SPN takes precedence over Split Tunnel, so only check split tunneling if not already set to tunnel.
+			checkSplitTunneling(ctx, conn)
+		}
 	}
 
 	// Request tunneling if no tunnel is set and connection should be tunneled.
@@ -585,6 +591,12 @@ func FilterConnection(ctx context.Context, conn *network.Connection, pkt packet.
 			// connection and the data will help with debugging and displaying in the UI.
 			conn.Failed(fmt.Sprintf("failed to request tunneling: %s", err), "")
 		}
+	} else if conn.Verdict == network.VerdictRerouteToSplitTun {
+		// Request split tunneling
+		err := requestSplitTunneling(ctx, conn)
+		if err != nil {
+			conn.Failed(fmt.Sprintf("failed to request split-tunneling: %s", err), profile.CfgOptionSplitTunUseKey)
+		}
 	}
 }
 
diff --git a/service/firewall/split-tunnel.go b/service/firewall/split-tunnel.go
new file mode 100644
index 00000000..25db7004
--- /dev/null
+++ b/service/firewall/split-tunnel.go
@@ -0,0 +1,103 @@
+package firewall
+
+import (
+	"context"
+	"errors"
+
+	"github.com/safing/portmaster/base/log"
+	"github.com/safing/portmaster/service/network"
+	"github.com/safing/portmaster/service/network/packet"
+	"github.com/safing/portmaster/service/profile"
+	"github.com/safing/portmaster/service/profile/endpoints"
+	"github.com/safing/portmaster/service/splittun"
+)
+
+func checkSplitTunneling(ctx context.Context, conn *network.Connection) {
+	// Check if the connection should be tunneled at all.
+	switch {
+	case conn.Entity.IPScope.IsLocalhost():
+		// Can't tunnel Local connections.
+		return
+	case conn.Inbound:
+		// Can't tunnel incoming connections.
+		return
+	case conn.Verdict != network.VerdictAccept:
+		// Connection will be blocked.
+		return
+	case conn.IPProtocol != packet.TCP && conn.IPProtocol != packet.UDP:
+		// Unsupported protocol.
+		return
+	case conn.Process().Pid == ownPID:
+		// Bypass tunneling for own connections.
+		return
+	case !splittun.IsReady():
+		return
+	}
+
+	// Get profile.
+	layeredProfile := conn.Process().Profile()
+	if layeredProfile == nil {
+		conn.Failed("no profile set", "")
+		return
+	}
+
+	// Update profile.
+	if layeredProfile.NeedsUpdate() {
+		// Update revision counter in connection.
+		conn.ProfileRevisionCounter = layeredProfile.Update(
+			conn.Process().MatchingData(),
+			conn.Process().CreateProfileCallback,
+		)
+		conn.SaveWhenFinished()
+	} else {
+		// Check if the revision counter of the connection needs updating.
+		revCnt := layeredProfile.RevisionCnt()
+		if conn.ProfileRevisionCounter != revCnt {
+			conn.ProfileRevisionCounter = revCnt
+			conn.SaveWhenFinished()
+		}
+	}
+
+	// Check if split-tunneling is enabled for this app at all.
+	if !layeredProfile.UseSplitTun() {
+		return
+	}
+
+	// Check if tunneling is enabled for entity.
+	conn.Entity.FetchData(ctx)
+	result, _ := layeredProfile.MatchSplitTunUsagePolicy(ctx, conn.Entity)
+	switch result {
+	case endpoints.MatchError:
+		conn.Failed("failed to check Split Tunnel rules", profile.CfgOptionSplitTunUsagePolicyKey)
+		return
+	case endpoints.Denied:
+		return
+	case endpoints.Permitted, endpoints.NoMatch:
+	}
+
+	conn.SaveWhenFinished()
+
+	conn.SetVerdictDirectly(network.VerdictRerouteToSplitTun)
+}
+
+func requestSplitTunneling(ctx context.Context, conn *network.Connection) error {
+	// Get profile.
+	layeredProfile := conn.Process().Profile()
+	if layeredProfile == nil {
+		return errors.New("no profile set")
+	}
+
+	interfaceToBind := layeredProfile.SplitTunInterface()
+
+	// Queue request in splittun module.
+	splitTunCtx, err := splittun.AwaitRequest(conn, interfaceToBind)
+	if err != nil {
+		return err
+	}
+
+	// Store context on the connection so the UI can display interface information.
+	conn.SplitTunContext = splitTunCtx
+
+	log.Tracer(ctx).Trace("filter: split tunneling requested")
+	return nil
+}
diff --git a/service/instance.go b/service/instance.go
index ad567574..47bbc25f 100644
--- a/service/instance.go
+++ b/service/instance.go
@@ -35,6 +35,7 @@ import (
 	"github.com/safing/portmaster/service/process"
 	"github.com/safing/portmaster/service/profile"
 	"github.com/safing/portmaster/service/resolver"
+	"github.com/safing/portmaster/service/splittun"
 	"github.com/safing/portmaster/service/status"
 	"github.com/safing/portmaster/service/sync"
 	"github.com/safing/portmaster/service/ui"
@@ -102,6 +103,8 @@ type Instance struct {
 	control       *control.Control
 	interop       *interop.Interoperability
 
+	splittun *splittun.SplitTunModule
+
 	access *access.Access
 
 	// SPN modules
@@ -283,6 +286,11 @@ func New(svcCfg *ServiceConfig) (*Instance, error) { //nolint:maintidx
 		return instance, fmt.Errorf("create access module: %w", err)
 	}
 
+	instance.splittun, err = splittun.New(instance)
+	if err != nil {
+		return instance, fmt.Errorf("create splittun module: %w", err)
+	}
+
 	// SPN modules
 	instance.cabin, err = cabin.New(instance)
 	if err != nil {
@@ -355,6 +363,8 @@ func New(svcCfg *ServiceConfig) (*Instance, error) { //nolint:maintidx
 		instance.filterLists,
 		instance.customlist,
 
+		instance.splittun,
+
 		instance.interop, // required to start before interception
 
 		// Grouped pausable interception modules:
diff --git a/service/netquery/manager.go b/service/netquery/manager.go
index 787da764..eff074cb 100644
--- a/service/netquery/manager.go
+++ b/service/netquery/manager.go
@@ -226,6 +226,10 @@ func convertConnection(conn *network.Connection) (*Conn, error) {
 		c.ExitNode = &exitNode
 	}
 
+	if conn.SplitTunContext != nil {
+		extraData["split_tun"] = conn.SplitTunContext
+	}
+
 	if conn.DNSContext != nil {
 		extraData["dns"] = conn.DNSContext
 	}
diff --git a/service/network/connection.go b/service/network/connection.go
index b673fbe7..777e1d8a 100644
--- a/service/network/connection.go
+++ b/service/network/connection.go
@@ -56,6 +56,15 @@ type ProcessContext struct {
 	Source string
 }
 
+// SplitTunContext holds additional information about the split tunnel
+// that a connection is routed through.
+type SplitTunContext struct {
+	// Interface is the name of the network interface the connection is bound to.
+	Interface string
+	// IP is the IP address used to bind the connection to the interface.
+	IP net.IP
+}
+
 // ConnectionType is a type of connection.
 type ConnectionType int8
 
@@ -170,6 +179,10 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 		GetExitNodeID() string
 		StopTunnel() error
 	}
+	// SplitTunContext holds additional information about the split tunnel
+	// that this connection is routed through. It is set when the connection
+	// verdict is VerdictRerouteToSplitTun and the interface has been resolved.
+	SplitTunContext *SplitTunContext
 
 	// HistoryEnabled is set to true when the connection should be persisted
 	// in the history database.
diff --git a/service/profile/config-update.go b/service/profile/config-update.go
index d958e307..8cee47ad 100644
--- a/service/profile/config-update.go
+++ b/service/profile/config-update.go
@@ -17,6 +17,7 @@ var (
 	cfgDefaultAction       uint8
 	cfgEndpoints           endpoints.Endpoints
 	cfgServiceEndpoints    endpoints.Endpoints
+	cfgSplitTunUsagePolicy endpoints.Endpoints
 	cfgSPNUsagePolicy      endpoints.Endpoints
 	cfgSPNTransitHubPolicy endpoints.Endpoints
 	cfgSPNExitHubPolicy    endpoints.Endpoints
@@ -74,6 +75,13 @@ func updateGlobalConfigProfile(_ context.Context) error {
 		lastErr = err
 	}
 
+	list = cfgOptionSplitTunUsagePolicy()
+	cfgSplitTunUsagePolicy, err = endpoints.ParseEndpoints(list)
+	if err != nil {
+		// TODO: module error?
+		lastErr = err
+	}
+
 	list = cfgOptionSPNUsagePolicy()
 	cfgSPNUsagePolicy, err = endpoints.ParseEndpoints(list)
 	if err != nil {
diff --git a/service/profile/config.go b/service/profile/config.go
index c3dbb26a..23f6c31a 100644
--- a/service/profile/config.go
+++ b/service/profile/config.go
@@ -141,6 +141,19 @@ var (
 	cfgOptionExitHubPolicyOrder = 147
 
 	// Setting "DNS Exit Node Rules" at order 148.
+
+	// Split Tunnel.
+	CfgOptionSplitTunUseKey   = "splittun/use"
+	cfgOptionSplitTunUse      config.BoolOption
+	cfgOptionSplitTunUseOrder = 210
+
+	CfgOptionSplitTunInterfaceKey   = "splittun/networkInterface"
+	cfgOptionSplitTunInterface      config.StringOption
+	cfgOptionSplitTunInterfaceOrder = 211
+
+	CfgOptionSplitTunUsagePolicyKey   = "splittun/usagePolicy"
+	cfgOptionSplitTunUsagePolicy      config.StringArrayOption
+	cfgOptionSplitTunUsagePolicyOrder = 212
 )
 
 var (
@@ -819,5 +832,92 @@ By default, the Portmaster tries to choose the node closest to the destination a
 	cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, DefaultRoutingProfileID)
 	cfgStringOptions[CfgOptionRoutingAlgorithmKey] = cfgOptionRoutingAlgorithm
 
+	//
+	// Split Tunnel
+	//
+
+	// Split Tunnel: Use
+	err = config.Register(&config.Option{
+		Name: "Use Split Tunnel",
+		Key:  CfgOptionSplitTunUseKey,
+		Description: `Route specific traffic through a different network interface, bypassing default system routing (useful for avoiding VPNs for certain apps).
+
+Important: SPN overrides Split Tunnel when enabled, so this option has no effect on SPN connections.`,
+		OptType:      config.OptTypeBool,
+		DefaultValue: false,
+		Annotations: config.Annotations{
+			config.SettablePerAppAnnotation: true,
+			config.DisplayOrderAnnotation:   cfgOptionSplitTunUseOrder,
+			config.CategoryAnnotation:       "General",
+		},
+	})
+	if err != nil {
+		return err
+	}
+	cfgOptionSplitTunUse = config.Concurrent.GetAsBool(CfgOptionSplitTunUseKey, false)
+	cfgBoolOptions[CfgOptionSplitTunUseKey] = cfgOptionSplitTunUse
+
+	// Split Tunnel: Network Interface
+	err = config.Register(&config.Option{
+		Name: "Network Interface",
+		Key:  CfgOptionSplitTunInterfaceKey,
+		Description: `Specify the network interface to route Split Tunnel traffic through. You can define it by:
+- Interface name: "Ethernet", "Wi-Fi", "wlan0", etc.
+- Interface IP address: "192.168.1.1", "10.0.0.1", etc.
+- Interface MAC address: "00:1A:2B:3C:4D:5E", "01:23:45:67:89:AB", etc.
+
+Leave empty or set to 'auto' to let Portmaster detect the physical network interface and ignore virtual VPN interfaces. This helps bypass VPN tunnels. For better reliability, you can specify the interface manually if 'auto' does not work as expected.
+
+Important: The connection will be dropped if the network interface cannot be detected or becomes unavailable.
+
+Important: SPN overrides Split Tunnel when enabled, so this option has no effect on SPN connections.`,
+		Sensitive:    true,
+		OptType:      config.OptTypeString,
+		DefaultValue: "auto",
+		Annotations: config.Annotations{
+			config.SettablePerAppAnnotation: true,
+			config.DisplayOrderAnnotation:   cfgOptionSplitTunInterfaceOrder,
+			config.CategoryAnnotation:       "General",
+		},
+	})
+	if err != nil {
+		return err
+	}
+	cfgOptionSplitTunInterface = config.Concurrent.GetAsString(CfgOptionSplitTunInterfaceKey, "")
+	cfgStringOptions[CfgOptionSplitTunInterfaceKey] = cfgOptionSplitTunInterface
+
+	// Split Tunnel: Rules
+	splitTunRulesVerdictNames := map[string]string{
+		"-": "Exclude", // Default.
+		"+": "Allow",
+	}
+
+	err = config.Register(&config.Option{
+		Name: "Split Tunnel Rules",
+		Key:  CfgOptionSplitTunUsagePolicyKey,
+		Description: `Customize which websites should or should not be routed through the Split Tunnel. Only active if "Use Split Tunnel" is enabled.
+		
+Important: SPN overrides Split Tunnel when enabled, so this option has no effect on SPN connections.`,
+		Help:         rulesHelp,
+		Sensitive:    true,
+		OptType:      config.OptTypeStringArray,
+		DefaultValue: []string{},
+		Annotations: config.Annotations{
+			config.SettablePerAppAnnotation:              true,
+			config.StackableAnnotation:                   true,
+			config.CategoryAnnotation:                    "General",
+			config.DisplayOrderAnnotation:                cfgOptionSplitTunUsagePolicyOrder,
+			config.DisplayHintAnnotation:                 endpoints.DisplayHintEndpointList,
+			endpoints.EndpointListVerdictNamesAnnotation: splitTunRulesVerdictNames,
+		},
+		ValidationRegex: endpoints.ListEntryValidationRegex,
+		ValidationFunc:  endpoints.ValidateEndpointListConfigOption,
+	})
+	if err != nil {
+		return err
+	}
+	cfgOptionSplitTunUsagePolicy = config.Concurrent.GetAsStringArray(CfgOptionSplitTunUsagePolicyKey, []string{})
+	cfgStringArrayOptions[CfgOptionSplitTunUsagePolicyKey] = cfgOptionSplitTunUsagePolicy
+
 	return nil
 }
diff --git a/service/profile/profile-layered.go b/service/profile/profile-layered.go
index fcb5b22f..947d370e 100644
--- a/service/profile/profile-layered.go
+++ b/service/profile/profile-layered.go
@@ -50,6 +50,8 @@ type LayeredProfile struct {
 	SPNRoutingAlgorithm config.StringOption `json:"-"`
 	EnableHistory       config.BoolOption   `json:"-"`
 	KeepHistory         config.IntOption    `json:"-"`
+	UseSplitTun         config.BoolOption   `json:"-"`
+	SplitTunInterface   config.StringOption `json:"-"`
 }
 
 // NewLayeredProfile returns a new layered profile based on the given local profile.
@@ -113,6 +115,14 @@ func NewLayeredProfile(localProfile *Profile) *LayeredProfile {
 		CfgOptionDomainHeuristicsKey,
 		cfgOptionDomainHeuristics,
 	)
+	lp.UseSplitTun = lp.wrapBoolOption(
+		CfgOptionSplitTunUseKey,
+		cfgOptionSplitTunUse,
+	)
+	lp.SplitTunInterface = lp.wrapStringOption(
+		CfgOptionSplitTunInterfaceKey,
+		cfgOptionSplitTunInterface,
+	)
 	lp.UseSPN = lp.wrapBoolOption(
 		CfgOptionUseSPNKey,
 		cfgOptionUseSPN,
@@ -349,6 +359,22 @@ func (lp *LayeredProfile) MatchServiceEndpoint(ctx context.Context, entity *inte
 	return cfgServiceEndpoints.Match(ctx, entity)
 }
 
+// MatchSplitTunUsagePolicy checks if the given endpoint matches an entry in any Split Tunnel usage policy in any of the profiles. This functions requires the layered profile to be read locked.
+func (lp *LayeredProfile) MatchSplitTunUsagePolicy(ctx context.Context, entity *intel.Entity) (endpoints.EPResult, endpoints.Reason) {
+	for _, layer := range lp.layers {
+		if layer.splitTunUsagePolicy.IsSet() {
+			result, reason := layer.splitTunUsagePolicy.Match(ctx, entity)
+			if endpoints.IsDecision(result) {
+				return result, reason
+			}
+		}
+	}
+
+	cfgLock.RLock()
+	defer cfgLock.RUnlock()
+	return cfgSplitTunUsagePolicy.Match(ctx, entity)
+}
+
 // MatchSPNUsagePolicy checks if the given endpoint matches an entry in any of the profiles. This functions requires the layered profile to be read locked.
 func (lp *LayeredProfile) MatchSPNUsagePolicy(ctx context.Context, entity *intel.Entity) (endpoints.EPResult, endpoints.Reason) {
 	for _, layer := range lp.layers {
diff --git a/service/profile/profile.go b/service/profile/profile.go
index df9f54ab..9efd1288 100644
--- a/service/profile/profile.go
+++ b/service/profile/profile.go
@@ -124,6 +124,7 @@ type Profile struct { //nolint:maligned // not worth the effort
 	spnUsagePolicy      endpoints.Endpoints
 	spnTransitHubPolicy endpoints.Endpoints
 	spnExitHubPolicy    endpoints.Endpoints
+	splitTunUsagePolicy endpoints.Endpoints
 
 	// Lifecycle Management
 	outdated   *abool.AtomicBool
@@ -203,6 +204,15 @@ func (profile *Profile) parseConfig() error {
 		}
 	}
 
+	list, ok = profile.configPerspective.GetAsStringArray(CfgOptionSplitTunUsagePolicyKey)
+	profile.splitTunUsagePolicy = nil
+	if ok {
+		profile.splitTunUsagePolicy, err = endpoints.ParseEndpoints(list)
+		if err != nil {
+			lastErr = err
+		}
+	}
+
 	list, ok = profile.configPerspective.GetAsStringArray(CfgOptionSPNUsagePolicyKey)
 	profile.spnUsagePolicy = nil
 	if ok {
diff --git a/service/splittun/module.go b/service/splittun/module.go
new file mode 100644
index 00000000..7eb78f0f
--- /dev/null
+++ b/service/splittun/module.go
@@ -0,0 +1,68 @@
+package splittun
+
+import (
+	"errors"
+	"sync/atomic"
+
+	"github.com/safing/portmaster/service/mgr"
+)
+
+const SplitTunPort = 719
+
+type SplitTunModule struct {
+	mgr      *mgr.Manager
+	instance instance
+}
+
+var (
+	module     *SplitTunModule
+	shimLoaded atomic.Bool
+	ready      atomic.Bool // ready indicates whether the module is fully initialized and ready to handle requests.
+)
+
+func IsReady() bool {
+	return ready.Load()
+}
+
+func New(instance instance) (*SplitTunModule, error) {
+	if !shimLoaded.CompareAndSwap(false, true) {
+		return nil, errors.New("only one instance allowed")
+	}
+
+	m := mgr.New("SplitTunModule")
+	module = &SplitTunModule{
+		mgr:      m,
+		instance: instance,
+	}
+
+	if err := prep(); err != nil {
+		return nil, err
+	}
+
+	return module, nil
+}
+
+func prep() error {
+	return nil
+}
+
+func (s *SplitTunModule) Manager() *mgr.Manager {
+	return s.mgr
+}
+
+func (s *SplitTunModule) Start() error {
+	err := startProxies(s.mgr)
+	if err != nil {
+		return err
+	}
+	ready.Store(true)
+	return nil
+}
+
+func (s *SplitTunModule) Stop() error {
+	ready.Store(false)
+	return stopProxies()
+}
+
+// INSTANCE
+type instance interface{}
diff --git a/service/splittun/proxies.go b/service/splittun/proxies.go
new file mode 100644
index 00000000..c338a62c
--- /dev/null
+++ b/service/splittun/proxies.go
@@ -0,0 +1,157 @@
+package splittun
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	"github.com/safing/portmaster/service/mgr"
+	"github.com/safing/portmaster/service/netenv"
+	"github.com/safing/portmaster/service/network"
+	"github.com/safing/portmaster/service/network/packet"
+	"github.com/safing/portmaster/service/splittun/proxy"
+)
+
+var (
+	proxiesLocker sync.RWMutex
+	manager       *mgr.Manager
+	tcp4Proxy     *proxy.TCPProxy
+	tcp6Proxy     *proxy.TCPProxy
+	udp4Proxy     *proxy.UDPProxy
+	udp6Proxy     *proxy.UDPProxy
+)
+
+type proxiedEgressFinder interface {
+	FindProxiedEgressConnection(destIP net.IP, destPort uint16) []*proxy.ConnContext
+}
+
+func IsProxiedConnectionInfo(connInfo *network.Connection) bool {
+	if connInfo == nil || connInfo.Entity == nil || connInfo.LocalIP == nil || connInfo.Entity.IP == nil {
+		return false
+	}
+
+	proxiesLocker.RLock()
+	var finder proxiedEgressFinder
+
+	switch connInfo.IPProtocol {
+	case packet.TCP:
+		switch connInfo.IPVersion {
+		case packet.IPv4:
+			finder = tcp4Proxy
+		case packet.IPv6:
+			finder = tcp6Proxy
+		}
+	case packet.UDP:
+		switch connInfo.IPVersion {
+		case packet.IPv4:
+			finder = udp4Proxy
+		case packet.IPv6:
+			finder = udp6Proxy
+		}
+	}
+
+	if finder == nil {
+		proxiesLocker.RUnlock()
+		return false
+	}
+
+	// TODO: The current FindProxiedEgressConnection path allocates a slice on each lookup in cache.go.
+	//		 Consider adding a HasProxiedEgressConnection boolean method in the cache/proxy layer
+	//		 to avoid allocating a result slice when only existence is needed. This can reduce GC pressure under load.
+	isProxied := len(finder.FindProxiedEgressConnection(connInfo.Entity.IP, connInfo.Entity.Port)) > 0
+	proxiesLocker.RUnlock()
+	return isProxied
+}
+
+func startProxies(mgr *mgr.Manager) error {
+	var (
+		tcp4 *proxy.TCPProxy
+		tcp6 *proxy.TCPProxy
+		udp4 *proxy.UDPProxy
+		udp6 *proxy.UDPProxy
+		err  error
+	)
+
+	_ = stopProxies()
+
+	tcp4, err = proxy.NewTCPProxy(fmt.Sprintf("0.0.0.0:%d", SplitTunPort), "tcp4", proxyDecider, &proxyLogger{prefix: "tcp4", mgr: mgr})
+	if err != nil {
+		return fmt.Errorf("failed to start TCPv4 proxy: %w", err)
+	}
+	tcp6, err = proxy.NewTCPProxy(fmt.Sprintf("[::]:%d", SplitTunPort), "tcp6", proxyDecider, &proxyLogger{prefix: "tcp6", mgr: mgr})
+	if err != nil {
+		return fmt.Errorf("failed to start TCPv6 proxy: %w", err)
+	}
+
+	if netenv.IPv6Enabled() {
+		udp4, err = proxy.NewUDPProxy(fmt.Sprintf("0.0.0.0:%d", SplitTunPort), "udp4", proxyDecider, &proxyLogger{prefix: "udp4", mgr: mgr})
+		if err != nil {
+			return fmt.Errorf("failed to start UDPv4 proxy: %w", err)
+		}
+		udp6, err = proxy.NewUDPProxy(fmt.Sprintf("[::]:%d", SplitTunPort), "udp6", proxyDecider, &proxyLogger{prefix: "udp6", mgr: mgr})
+		if err != nil {
+			return fmt.Errorf("failed to start UDPv6 proxy: %w", err)
+		}
+	}
+
+	proxiesLocker.Lock()
+	manager = mgr
+	tcp4Proxy = tcp4
+	tcp6Proxy = tcp6
+	udp4Proxy = udp4
+	udp6Proxy = udp6
+	proxiesLocker.Unlock()
+
+	return nil
+}
+
+func stopProxies() error {
+	proxiesLocker.Lock()
+	mgr := manager
+	tcp4 := tcp4Proxy
+	tcp6 := tcp6Proxy
+	udp4 := udp4Proxy
+	udp6 := udp6Proxy
+	tcp4Proxy = nil
+	tcp6Proxy = nil
+	udp4Proxy = nil
+	udp6Proxy = nil
+	proxiesLocker.Unlock()
+
+	if tcp4 != nil {
+		tcp4.Shutdown(mgr.Ctx())
+	}
+	if tcp6 != nil {
+		tcp6.Shutdown(mgr.Ctx())
+	}
+	if udp4 != nil {
+		udp4.Shutdown(mgr.Ctx())
+	}
+	if udp6 != nil {
+		udp6.Shutdown(mgr.Ctx())
+	}
+
+	return nil
+}
+
+// PROXY LOGGER WRAPPER
+type proxyLogger struct {
+	prefix string
+	mgr    *mgr.Manager
+}
+
+func (l proxyLogger) Debugf(format string, args ...interface{}) {
+	l.mgr.Debug(l.getLogLine(format, args...))
+}
+func (l proxyLogger) Warnf(format string, args ...interface{}) {
+	l.mgr.Warn(l.getLogLine(format, args...))
+}
+func (l proxyLogger) Infof(format string, args ...interface{}) {
+	l.mgr.Info(l.getLogLine(format, args...))
+}
+func (l proxyLogger) Errorf(format string, args ...interface{}) {
+	l.mgr.Error(l.getLogLine(format, args...))
+}
+func (l proxyLogger) getLogLine(format string, args ...interface{}) string {
+	return fmt.Sprintf("%s: "+format, append([]interface{}{l.prefix}, args...)...)
+}
diff --git a/service/splittun/requests.go b/service/splittun/requests.go
new file mode 100644
index 00000000..f7cbadae
--- /dev/null
+++ b/service/splittun/requests.go
@@ -0,0 +1,115 @@
+package splittun
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"sync"
+
+	"github.com/safing/portmaster/service/netenv"
+	"github.com/safing/portmaster/service/network"
+	"github.com/safing/portmaster/service/network/packet"
+)
+
+type request struct {
+	connInfo *network.Connection
+	bindIP   net.IP
+}
+
+var (
+	requestsLock    sync.Mutex
+	pendingRequests map[string]*request = make(map[string]*request) // key: "localIP:localPort"
+)
+
+// AwaitRequest registers a connection for handling when it arrives at the proxy.
+// The bindInterface must be unique info which identifies the interface to bind to:
+// - interface local IP address (e.g. "192.168.1.1")
+// - interface name (e.g. "eth0")
+// - MAC address (e.g. "00:1A:2B:3C:4D:5E")
+// - "auto" - to try detecting "default" (non-VPN) interface automatically (not reliable)
+func AwaitRequest(connInfo *network.Connection, bindInterface string) (*network.SplitTunContext, error) {
+
+	var bindIP net.IP
+	var interfaceName string
+	if bindInterface == "" || bindInterface == "auto" {
+		// "auto" is the default and means to try detecting the "default" (non-VPN) interface automatically.
+		// This is not reliable, but can be convenient for users who don't want to configure an interface.
+		ifaces, err := netenv.GetBestPhysicalDefaultInterfaces()
+		if err != nil {
+			return nil, err
+		}
+
+		var selectedIface *netenv.InterfaceInfo
+		if connInfo.IPVersion == packet.IPv6 && ifaces.ForIPv6 != nil {
+			selectedIface = ifaces.ForIPv6
+			bindIP = selectedIface.IPv6
+		} else if ifaces.ForIPv4 != nil {
+			selectedIface = ifaces.ForIPv4
+			bindIP = selectedIface.IPv4
+		} else {
+			return nil, fmt.Errorf("no suitable default physical interface found for IP version %d", connInfo.IPVersion)
+		}
+		interfaceName = selectedIface.Interface.Name
+	} else {
+		// Getting the interface IP address to bind the proxy connection to.
+		iface, err := netenv.GetInterface(bindInterface)
+		if err != nil {
+			return nil, err
+		}
+
+		if connInfo.IPVersion == packet.IPv6 {
+			bindIP = iface.IPv6
+		} else {
+			bindIP = iface.IPv4
+		}
+		if bindIP == nil {
+			return nil, fmt.Errorf("interface %q has no usable address for IP version %d", bindInterface, connInfo.IPVersion)
+		}
+		interfaceName = iface.Interface.Name
+	}
+
+	// Create unique key for the pending connection
+	key := net.JoinHostPort(connInfo.LocalIP.String(), strconv.Itoa(int(connInfo.LocalPort)))
+
+	requestsLock.Lock()
+	defer requestsLock.Unlock()
+
+	// Register the request
+	if _, exists := pendingRequests[key]; exists {
+		return nil, fmt.Errorf("a pending request for %s already exists", key)
+	}
+
+	pendingRequests[key] = &request{
+		connInfo: connInfo,
+		bindIP:   bindIP,
+	}
+	return &network.SplitTunContext{
+		Interface: interfaceName,
+		IP:        bindIP,
+	}, nil
+}
+
+// consumeRequest retrieves and removes a pending request for the given address.
+func consumeRequest(address string) (r *request, err error) {
+	requestsLock.Lock()
+
+	r, ok := pendingRequests[address]
+	if ok {
+		delete(pendingRequests, address)
+		requestsLock.Unlock()
+		return r, nil
+	}
+
+	requestsLock.Unlock()
+	return nil, fmt.Errorf("no pending request for %s", address)
+}
+
+// proxyDecider is called by the proxy when a new connection arrives, to determine where to forward it.
+func proxyDecider(local net.Addr, peer net.Addr) (remoteIP net.IP, remotePort uint16, localIP net.IP, extraInfo any, err error) {
+	r, err := consumeRequest(peer.String())
+	if err != nil {
+		return nil, 0, nil, nil, err
+	}
+
+	return r.connInfo.Entity.IP, uint16(r.connInfo.Entity.Port), r.bindIP, r.connInfo, nil
+}