When enforceRoutes = YES is set on a split tunnel VPN configuration containing only excluded routes, all traffic matching the included routes is silently dropped — no packets reach the VPN tunnel. Only the excluded routes route correctly via the physical adapter. Setting enforceRoutes = NO with an identical configuration restores full connectivity immediately, confirming the issue is specific to the combination of enforceRoutes = YES and a non-empty excludedRoutes. This has been verified on iPadOS 26. Test Environment Device: iPad pro 4th gen OS Version: iPadOS 26.0 VPN Type: NEPacketTunnelProvider VPN Configuration (NEPacketTunnelNetworkSettings) tunnelRemoteAddress = 103.135.123.108 DNSSettings = { protocol = cleartext server = (10.34.250.51) } IPv4Settings = { configMethod = manual addresses = (10.34.247.235) subnetMasks = (255.255.255.255) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 } ) excludedRoutes = ( { destinationAddress = 10.168.10.182 destinationSubnetMask = 255.255.255.255 } ) overridePrimary = NO } MTU = 1400 enforceRoutes = YES includeAllNetworks = NO Reproduction Steps Configure NEPacketTunnelProvider with the settings above Set protocolConfiguration.enforceRoutes = YES Set protocolConfiguration.includeAllNetworks = NO Establish VPN connection and wait for Connected status Attempt to access any internet resource Observed Behavior Excluded route (10.168.10.182) correctly routes via physical adapter — confirmed in Wireshark Included routes (0.0.0.0/0) — zero packets visible in Wireshark on any interface, traffic completely dropped Internet fully inaccessible — no DNS responses, no TCP connections established Setting enforceRoutes = NO with an identical route configuration and all other settings unchanged restores full internet connectivity immediately. No other change is made.