ExpressVPN has continued its commitment to privacy and security with the re-release of its Lightway protocol in Rust, a modern programming language.
The proprietary protocol has been reimplemented for enhanced performance and security within Rust's modern coding language.
Known for being one of the best VPNs, ExpressVPN has consistently championed user privacy and experience. The new source code has been assessed in two independent audits, and follows Lightway's upgrade to ML-KEM encryption, the new industry standard for post-quantum encryption.
Lightway V2 in detail
Lightway is ExpressVPN's own VPN protocol and was launched in 2020. It was built with the aim of making your VPN experience faster, more secure, and more reliable. It's light on its feet, runs faster than other protocols, uses less battery, and is easier to audit and maintain.
A recent update saw the new, industry standard ML-KEM post-quantum encryption integrated into Lightway, with ExpressVPN becoming the first leading VPN to implement post-quantum encryption across the board.
VPN protocols determine how your data is encrypted and moved through networks – and at what speed. There are a few different VPN protocols out there, each with their own strengths and weaknesses. OpenVPN and WireGuard are the two most popular and most leading VPN providers give you a choice between the two. Consider reading our "understanding VPN protocols" page to learn more.
Lightway was originally built in C, but remaking it in Rust offers three key advantages. It is inherently more secure thanks to its built-in memory safety, eliminating common vulnerabilities and attack vectors in C.
Memory safety is integral to Rust's language. It allocates memory by default and won't let you access memory you shouldn't be. Rust prevents attackers from exploiting memory vulnerabilities and only one person can access the code at a time.
Rust allows simpler and more expressive code that enables strong performance capability and efficiency, beyond that offered by C. It also supports safer multicore-processing which means better performance, more battery life, and stronger protection.
Finally, Rust's architecture allows for more intuitive development, making it easier to expand Lightway's features while maintaining a simpler base code. This produces an ideal platform for implementing future improvements and builds without compromising Lightway's core features.
ExpressVPN's Chief Research Officer, Pete Membrey, said: "At ExpressVPN, we innovate to solve the challenges of tomorrow. Upgrading Lightway from its previous C code to Rust was a strategic and straightforward decision to enhance performance, and security, while ensuring longevity."
"With Rust widely recognized as a high-performing, secure, and reliable language, it was a natural choice for evolving Lightway."
Independently audited
It is always a good sign when VPNs undergo audits, be that to verify no-logs policies or put encryption and security to the test. ExpressVPN has done just that with Lightway in Rust, with not one, but two independent audits of the code.
Cybersecurity firms Cure53 and Praetorian conducted comprehensive, separate assessments of Lightway's Rust code in parallel, scrutinizing it and its cryptographic foundations.
"Investing in dual audits from two independent firms was an important decision we made to gain diverse expert perspectives on Lightway's new base code."
Aaron Engel, CISO at ExpressVPN
Results were positive, with Praetorian uncovering only two low-risk findings and Cure53 uncovering five – four of which were miscellaneous and had low exploitation potential. All findings were addressed by ExpressVPN and re-assessed by auditors.
Cure53 said its "very limited number of findings" was a "positive sign" for Lightway's security. Praetorian's report called Lightway's secure usage of Rust unsafe blocks and strong cryptographic primitives with WolfSSL "particularly beneficial" and warranted "special recognition."
Aaron Engel, Chief Information Security Officer at ExpressVPN, said: "Investing in dual audits from two independent firms was an important decision we made to gain diverse expert perspectives on Lightway's new base code."
Membrey added that ExpressVPN also wanted to "contribute its technology meaningfully to the VPN industry." He went on to say ExpressVPN was confident it had "built the VPN protocol of the future – more secure, stronger performance, and ever-ready for the modern world."
When is it coming?
The first device to receive the Lightway in Rust upgrade is ExpressVPN's Aircove router. This means faster speeds of up to 330 Mbps for the router, although speeds on other devices will hit the super-fast speeds we've come to expect from ExpressVPN.
The update was rolled out in an automatic update on AircoveOS on February 4 and Android will see the new Lightway protocol by the end of March 2025.
Linux will see the update next, releasing in early Q2 – expected to be April – and Mac and iOS are expected to receive the update by the end of June.
Windows will be the final platform to receive its Lightway in Rust update and this is expected to be by September 2025.
You'll need to install the latest update when Lightway in Rust comes to your device. If you have automatic updates enabled on your devices there's nothing more you'll need to do. But if not, remember to initiate the update when it becomes available.
Lightway V2 will seamlessly replace Lightway V1 and there is no option to switch between the two protocols.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
