ExpressVPN’s Lightway protocol is getting a major upgrade — one the company hopes makes it the VPN protocol of the future. On Monday, the VPN company announced the release of Lightway in Rust (essentially Lightway 2.0), which is designed for faster speeds, enhanced security and better overall performance.
When ExpressVPN first developed Lightway in 2020, the protocol was written in C, a programming language originally developed in the early ’70s but still widely popular because of its simplicity and flexibility. Along with the original version of Lightway, other VPN protocols like OpenVPN and WireGuard are also implemented in C. But ExpressVPN says that reimplementing Lightway in Rust offers several distinct advantages over the protocol’s previous iteration in C.
First is that Rust can make Lightway even more secure than it already is because using Rust eliminates certain vulnerabilities commonly found in C due to mishandling memory (Rust’s memory safety features nullify such a risk). Also, Rust can give the protocol a boost when it comes to overall performance and battery life. Finally, Rust’s codebase will allow ExpressVPN engineers to be more nimble and faster with updates and improvements to Lightway going forward.
“Upgrading Lightway from its previous C code to Rust was a strategic and straightforward decision to enhance performance, and security while ensuring longevity,” said Pete Membrey, ExpressVPN’s chief research officer. “With Rust widely recognized as the high-performing, secure, and reliable language, it was a natural choice for evolving Lightway.”
Essentially, what this all means for you is that the new implementation of Lightway should make your experience with ExpressVPN faster, more secure and more reliable. That’s saying a lot because ExpressVPN is already one of the most secure and reliable VPNs you can buy — and further solidifies the VPN as one of my top recommendations for users with critical privacy needs like journalists, attorneys, physicians, activists and whistleblowers. Even if you’re just looking for general privacy online, there’s nothing wrong with giving your privacy an even greater boost with Lightway in Rust.
And although it hasn’t been the fastest VPN over the past few years, rolling out Lightway in Rust could give ExpressVPN a much-needed speed boost. This means that you should experience smoother streaming performance, faster downloads, uninterrupted video calls and lower ping during your gaming sessions while connected to ExpressVPN and using the new implementation of Lightway.
So, in theory, Lightway’s re-coding should be a major improvement all around to an already stellar VPN. But while a VPN’s speed and reliability can be generally pretty evident to the average user, quantifying a VPN protocol’s security isn’t. ExpressVPN addresses this in a couple of important ways. For one, Lightway is an open-source VPN protocol, meaning that its codebase is publicly available online for anyone to scrutinize or even implement into their own VPN solutions. This makes it possible for experts to validate the security of the protocol and spot any potential vulnerabilities.
Additionally, ExpressVPN commissioned two separate independent audits in late 2024 to validate the security of Lightway in Rust — one by Cure53 and the other by Praetorian. The two cybersecurity firms worked independently of one another, and both delivered an overall positive assessment of Lightway in Rust’s implementation. Cure53 identified one high-severity vulnerability and four “general weaknesses with lower exploitation potential” while Praetorian found two low-risk vulnerabilities — all of which were subsequently resolved by ExpressVPN.
“Overall…Cure53’s very limited number of findings, especially with only one exploitable vulnerability, can be interpreted as a positive sign for the security of the ExpressVPN Lightway protocol,” Cure53 wrote in its audit report.
ExpressVPN is the undisputed leader in the VPN industry when it comes to transparency through independent audits, undergoing multiple audits every year. While an audit can only validate the state of the VPN at the time of the audit itself, it serves as an important signal of trust and can give the public confidence in the VPN that it’s doing what it says it’s doing. But being open-source can help fill those gaps because it gives the entire security community the opportunity to examine the code at any time.
“ExpressVPN has always led the industry in third-party evaluation and verification of our software,technology and policies,” Aaron Engel, ExpressVPN’s chief information security officer, said in a blog post. “Having Lightway evaluated by two independent third-party auditors is our way of showing our commitment to transparency while demonstrating our confidence in the technology we have developed.”
Lightway in Rust is being rolled out first to ExpressVPN’s Aircove routers on Monday, followed by Android at the end of March, Linux early in the second quarter, MacOS toward the end of the second quarter and finally to Windows by the end of the third quarter.
