ExpressVPN Rewrites Lightway VPN Protocol in Rust for Security

ExpressVPN has reimplemented its Lightway VPN protocol in Rust, replacing the original C-based implementation.

The move aims to enhance security, improve performance, and make future expansions more efficient. To validate the security of the rewritten protocol, ExpressVPN commissioned independent audits by Cure53 and Praetorian, both of which confirmed the integrity of the new implementation.

A leaner and more secure Lightway

Lightway, introduced in 2020, is ExpressVPN’s custom-built VPN protocol designed to optimize speed, security, and efficiency for modern internet users. Unlike OpenVPN or WireGuard, Lightway was developed from scratch to meet the demands of mobile and multi-platform use while maintaining strong encryption standards. With this recent overhaul, ExpressVPN has transitioned Lightway to Rust, a programming language known for its memory safety features, which significantly reduce vulnerabilities such as buffer overflows and memory leaks—common security risks in C-based applications.

The reimplementation required a complete rewrite of Lightway’s codebase, allowing ExpressVPN to leverage Rust’s safety mechanisms and multi-core processing capabilities. According to the company, this results in a leaner, more efficient VPN that consumes less power on user devices while maintaining fast connection times. The protocol continues to use wolfSSL, a widely recognized cryptographic library and retains all existing features, including post-quantum encryption support and built-in ad and tracker blocking.

To ensure the robustness of Lightway’s Rust implementation, ExpressVPN engaged two security firms — Cure53 and Praetorian — to conduct separate audits in late 2024. The audits analyzed the protocol’s source code and wolfSSL-RS integration, uncovering only a few low-risk issues, all of which have since been addressed. Cure53’s report noted a “very limited number of findings” and described the new implementation as being in a “good state of security.” Similarly, Praetorian praised ExpressVPN’s handling of Rust’s unsafe blocks, which allow necessary low-level network operations without compromising security.

This transition to Rust reflects a broader industry trend where security-conscious applications are moving away from memory-unsafe languages like C and C++. By making Lightway’s Rust-based implementation open source, ExpressVPN is also contributing to transparency and allowing other VPN providers to adopt or scrutinize its protocol.

For users, the shift means improved security with fewer attack vectors, more efficient performance, and a future-ready VPN protocol designed to withstand emerging threats. While the change happens under the hood, ExpressVPN users can expect a more secure and reliable VPN experience without altering how they use the service.

For an up-to-date and in-depth review of ExpressVPN, its features, service compatibility, and all its pros and cons compared to the competition, check out this page.