On August 10, 2021, ExPressVPN announced on their official blog that they are open-sourcing their latest Lightway protocol so that more people can enjoy the benefits of Lightway, a next-generation VPN protocol developed by ExpressVPN to provide users with a faster, more secure, and more reliable VPN experience.

Origin of Lightway

While the major VPN vendors have been using protocols like OpenVpn, IKEv2, IPsec, WireGuard, etc., ExpressVPN, an industry giant, decided to try their hand at developing a new VPN protocol on their own, Lightway, after stating that they would not be using WireGuard.

ExpressVPN began using Lightway as their new virtual private network protocol last year, and for about a year ExpressVPN has been testing and improving the Lightway protocol internally.

Lightway is a new VPN protocol built from the ground up by ExpressVPN, with the advantages of cleaner and more efficient code, faster connections and operation, and better stability than the old VPN protocol. With ExpressVPN, full platform support is available for Android, iOS, Windows, Mac, Linux and routers.

A new standard for greater safety, speed and reliability

Improve performance and reduce load

Lightway is not affected by legacy features or technical debt from other protocols. This is evident from its code base of only about 2000 lines of core code. The minimalist code base is not only very low CPU load, but also relatively easy to maintain and audit.

In official tests of ExpressVPN, Lightway connected 2.5 times faster than the old protocol, and more than half the time, Lightway successfully connected to the VPN in less than a second. 90% of users tested also reported that Lightway could connect to the VPN faster than before, and had faster Internet access.

Dynamic processing to cope with complex network changes

From Wi-Fi to cellular networks, from no signal to signal, most older VPN protocols must exit to restart the session or lag when dealing with these network disruptions and network exchanges, Lightway allows for greater VPN stability. Even if the network is accidentally disconnected, the VPN session will continue to hold until the next time you connect to the network, without having to re-establish the VPN link.

Open Source and Audit

Cure53 testing on Lightway

Prior to the full rollout, ExpressVPN engaged cybersecurity firm Cure53 to conduct penetration testing and source code audits of Lightway. 14 security issues were identified by Cure 53, but none were classified as “significant” and were promptly followed up by ExpressVPN’s engineering team and were fixed in ExpressVPN’s engineering team followed up promptly and fixed all issues in July. Interested parties can view the security assessment report here.

The codebase observed on Lightway followed a consistent coding pattern and was of very high quality. the Lightway protocol gave a stable impression in the evaluation. Although there are some issues listed in the report, they are fairly simple to fix."

Improving trust, transparency and security at Lightway through open source

Outside of auditing, ExpressVPN has released the Lightway core code under an open source license (GNU GPLv2). This allows the global technical community and individuals to test, inspect code, identify potential vulnerabilities and improve overall security.

If a security vulnerability is found, it can be submitted to ExpressVPN through ExpressVPN’s Vulnerability Bounty Program for a reward.

Harold Li, vice president of ExpressVPN, said, “The trust and transparency initiative gives us more confidence to fully launch Lightway and we are excited to make the benefits of Lightway available to more people.”

Peter Membrey, ExpressVPN’s familiar architect leading the Lightway engineering effort, added, “This is one of the most important innovations we’ve done to date, and we’re excited to give back to the privacy and security community by sharing Lightway with the world. Others are also encouraged to contribute to Lightway’s code and join us in moving the VPN industry forward.”

Some hidden dangers and concerns

Compared to other very mature VPN protocols, Lightway has some advantages, but it is still a newborn and there are many instability factors and risks. The tasting experience was fine, but it will take time to verify whether the migration to Lightway can support long-term stable use.