- ExpressVPN’s industry-leading protocol, Lightway, is now reimplemented in Rust, a modern programming language recognized for security and performance
- The new source code is validated by two independent security audits from Cure53 and Praetorian
- Lightway’s code continues to remain open-source for greater trust, transparency, and adoption across the industry
BRITISH VIRGIN ISLANDS; 17 FEBRUARY, 2025 — Leading consumer privacy and security company ExpressVPN today announced an overhaul of its proprietary VPN protocol, Lightway—now reimplemented in Rust for enhanced performance and security. The code, open-source and available to all, has also been verified in two independent, external security audits.
Since its inception, Lightway has been specifically designed and built to suit the needs of modern users—delivering a speedy, secure, and more reliable VPN experience. ExpressVPN has now reimplemented Lightway in Rust, a more modern coding language that prioritizes performance and security. Through this overhaul, ExpressVPN is laying the foundation for a simpler, yet more robust solution with Lightway—ready for the future of VPN connectivity.
Setting a new standard for VPN protocols
Moving Lightway to Rust brings three key advantages over the original C implementation. Firstly, the protocol is now inherently more secure thanks to Rust’s built-in memory safety, eliminating common vulnerabilities and attack vectors in C. Furthermore, Rust allows simpler more expressive code that enables strong performance capabilities and greater efficiencies. It also supports safer multicore-processing—meaning better performance, more battery life, and stronger protection.
Lastly, Rust’s modern architecture allows for more intuitive development, making it easier to expand Lightway’s features while maintaining a simpler code base. This creates an ideal platform for implementing future improvements and builds—without compromising the core principles of security and efficiency that underpin Lightway’s ethos.
“At ExpressVPN, we innovate to solve the challenges of tomorrow. Upgrading Lightway from its previous C code to Rust was a strategic and straightforward decision to enhance performance, and security while ensuring longevity. With Rust widely recognized as the high-performing, secure, and reliable language, it was a natural choice for evolving Lightway,” said Pete Membrey, Chief Research Officer at ExpressVPN.
Dual audits for greater trust and transparency
ExpressVPN commissioned two independent security audits of Lightway’s source code, partnering with cybersecurity firms Cure53 and Praetorian. This dual-audit approach provides comprehensive verification of Lightway’s security. Each firm conducted thorough, separate assessments in parallel, scrutinizing Lightway’s Rust code and its cryptographic foundations.
The results from both groups were consistently positive, with Praetorian uncovering only two low-risk findings and Cure53 reporting five discoveries—of which four were classified as miscellaneous findings with low exploitation potential. All findings have been addressed by ExpressVPN and validated again by both expert auditors.
Results from Cure53’s security audit stated “Cure53’s very limited number of findings…can be interpreted as a positive sign for the security of the ExpressVPN Lightway protocol.”
Praetorian’s report commended Lightway’s secure usage of Rust unsafe blocks and strong cryptographic primitives with WolfSSL, highlighting that they were “particularly beneficial and warrant special recognition”.
“Investing in dual audits from two independent firms was an important decision we made to gain diverse expert perspectives on Lightway’s new code base. That is why I am happy to share the consistently positive findings across both audits—validating Lightway’s robust security design and implementation,” said Aaron Engel, Chief Information Security Officer at ExpressVPN.
Dr Membrey added: “Our goal with Lightway is not only to serve the users of ExpressVPN but also to contribute its technology meaningfully to the VPN industry. With Lightway’s open-source code available to all and further testing and validation by trusted experts in cybersecurity, we’ve confidently built the VPN protocol of the future—more secure, stronger performance, and ever-ready for the modern world.”
As part of ExpressVPN’s commitment to transparency and trust, the team is publishing extensive project documentation and additional public-facing materials.
- To view the source code of Lightway, see ExpressVPN’s GitHub page.
- To find the full audit reports on Lightway, see links to Cure53, Praetorian, and blog.
- For more information about Lightway, please visit our blog.
- Find more technical insights here.
END
NOTES TO THE EDITOR
- Lightway in Rust rollout dates:
- Aircove: Live now
- Android: end of March
- Linux: early Q2
- Mac: end of Q2
- Windows: end of Q3
About ExpressVPN
Since 2009, ExpressVPN has empowered millions of users to take control of their internet experience. The company’s award-winning consumer VPN service is backed by its open-source VPN protocol, Lightway, delivering user privacy in just a few clicks. ExpressVPN’s Keys password manager, Aircove router range, and Identity Defender tools make digital privacy and security easy and accessible for all. ExpressVPN’s products have been extensively vetted by third-party experts, including PwC, Cure53, KPMG, and others.
ExpressVPN has been part of Kape Technologies since 2021. To learn more about ExpressVPN’s industry-leading privacy and security solutions, visit www.expressvpn.com.
Contact
ExpressVPN press team
