ExpressVPN Rewrote its VPN Protocol with Rust

ExpressVPN announced today that it has transitioned its Lightway VPN protocol to the Rust programming language. The result is a safer, leaner and faster service with no functional regressions.

“Five years ago, when we built Lightway, we aimed to create a VPN protocol from scratch that could adapt to the modern, mobile world,” ExpressVPN explains. “Focusing on the needs of consumer VPN users, we kept the codebase light to boost performance and used well-established cryptography for security.”

Today, most of ExpressVPN’s customers connect using the Lightway protocol. But since its introduction, ExpressVPN has rewritten its codebase, originally in the C programming language, in Rust, a more modern, memory safe language. ExpressVPN says the result is a leaner, more secure VPN with a more easily updated codebase. And from the user’s perspective, it offers the same features as ever–post-quantum encryption, ad blocking, tracker blocking, and so on–while offering better performance.

As ExpressVPN explains, Rust is more secure than C, allowing it to “eliminate whole avenues of attack vectors and weaknesses,” with “bugs and attack vectors related to memory access immediately invalidated.” It also offers better performance and efficiency, thanks to its safer multicore processing, and better code efficiency and maintenance, which enable it to make improvements and add new features more easily (and with fewer lines of code).

“With this change to Rust, Lightway will remain open source, allowing anyone to scrutinize it and empowering other VPN developers to adopt it,” DxpressVPN continues. “The two new rigorous, independent audits, from Cure53 and Praetorian, have validated that the recode of Lightway meets the highest security standards as well as the expectations of our users.” This also means that other VPN providers can adopt Lightway, which ExpressVPN believes to be a new standard for security protocols.