If you use ExpressVPN, you have likely seen the word “Lightway” in the protocol settings. So, what is Lightway protocol exactly? Simply put, Lightway protocol is ExpressVPN’s exclusive, custom-built engine that powers your secure connection. Instead of relying on older, third-party technologies, ExpressVPN engineered Lightway from scratch to make your VPN experience faster, more secure, and significantly lighter on your battery.
The protocol is the core of any VPN service. It determines how your data is encrypted and how quickly your device connects to a server. In 2024, ExpressVPN completely rebuilt Lightway using the Rust programming language, heavily upgrading its raw speed and memory safety.
This article covers everything from the basics to the latest technical updates, including the new features that set Lightway apart from every other protocol available today.
Key takeaways:
- Proprietary and Rust-based: Lightway is ExpressVPN’s exclusive protocol, rebuilt in Rust for stronger memory safety and better performance.
- Four independent audits: Lightway has been assessed by Cure53 (2021, 2022, 2024) and Praetorian (2024), all confirming secure design.
- Post-quantum protection: Lightway integrates ML-KEM (the NIST standard for post-quantum encryption) by default, at no extra configuration.
- Sub-2-second connections: Lightway connects in under 2 seconds, significantly faster than WireGuard (~12 seconds) or OpenVPN (~18 seconds).
- Lightway Turbo: A new multi-lane tunneling toggle that further increases download and upload speeds (currently available on Windows).
- Open-source: The core codebase is publicly available on GitHub for independent review by anyone.
1. What is a VPN protocol? The foundation of every VPN
A VPN protocol is the set of rules that governs how your data is encrypted and transmitted between your device and the VPN server. It defines the tunneling process at a technical level. Every aspect of your VPN experience flows directly from which protocol is running. This includes how fast the connection starts, how much processing power it consumes, and how the tunnel behaves when the network changes.
When we test VPNs, we observe each protocol’s impact across three key dimensions. First, connection speed, which is how fast the tunnel is established and sustained. Second, resource consumption, meaning how much the protocol taxes the device’s CPU and battery. Third, stability, referring to how the connection behaves when the device switches from Wi-Fi to mobile data or wakes from sleep.
These are not abstract technical concerns. A protocol that drops the tunnel when the network changes creates a security gap without the user ever knowing.
The three protocols that matter most in 2026:
- OpenVPN: Launched in 2001, with a codebase exceeding 70,000 lines. It has a long track record of reliability and is trusted for bypassing strict firewalls, but its age shows in speed comparisons with newer alternatives.
- WireGuard: Approximately 4,000 lines of code, modern cryptography, and fast connection times. It became the new industry benchmark for performance and is used by multiple major VPN providers.
- Lightway: Approximately 2,000 lines of code, written in Rust, and built entirely by ExpressVPN. It is the focus of this article.
2. What is Lightway protocol? Key benefits and features
Lightway is ExpressVPN’s custom-built, proprietary VPN protocol, designed from scratch to be faster, more secure, and lighter than traditional options.
It was engineered to optimize across six specific criteria: lightweight architecture, near-instant connection speed, always-on network stability, robust security, audited transparency, and low battery consumption.
The sections below break each of these down in detail.
2.1 Lightweight architecture: ~2,000 lines of code
Lightway’s codebase is extremely lean, sitting at just about 2,000 lines. To put that in perspective, OpenVPN relies on over 70,000 lines, while even the modern WireGuard uses around 4,000. This massive difference in size brings immediate, practical benefits to your daily usage.
A smaller codebase produces three concrete advantages for any protocol:
- Easier to audit: Fewer lines of code means fewer places for vulnerabilities to hide. Security researchers can review the entire protocol thoroughly, not just sampled sections.
- Faster to maintain: When an issue surfaces, ExpressVPN can identify and patch it without navigating a sprawling legacy codebase.
- Simpler to extend: Adding new features, such as Lightway Turbo (described in Section 3.2), is significantly faster on a clean, lean architecture than on a large legacy one.
Lightway also carries no legacy code or outdated authentication mechanisms, which are a common source of exploitable weaknesses in older protocols. The Rust implementation replaced the original C version. This shift made the codebase even more expressive and efficient. It produced a protocol that is leaner than its predecessor while remaining structurally more secure.
2.2 Near-instant connection speed
Lightway establishes a secure connection in under 2 seconds. In contrast, WireGuard generally takes about 12 seconds to connect, and OpenVPN trails at around 18 seconds. If you have ever stared at a loading screen right before an urgent video call, you will instantly appreciate how much of a difference this speed makes.
Beyond just connecting quickly, Lightway is designed to maintain exceptionally high data throughput. In our global testing (detailed in Section 5), Lightway consistently outpaced older protocols across local, nearby, and long-distance servers. ExpressVPN has also been ranked the fastest VPN by TechRadar, Tom’s Guide, and other independent review organizations.
For users who want to push speeds further, Lightway Turbo (covered in Section 3.2) adds multi-lane tunneling as an additional performance layer. We found this combination particularly useful on high-bandwidth connections where a single tunnel lane would otherwise be the bottleneck.
>> You may also be interested in: Does VPN slow down the internet? YES, but here’s why and 10 ways to fix it!
2.3 Seamless always-on connection
When a network connection is interrupted, Lightway does not terminate the VPN tunnel. The connection enters an “idle” state: the session is paused but preserved. The moment the device reconnects to any network, the VPN resumes on the same server without requiring any action from the user.
This behavior is architecturally different from how OpenVPN handles network changes. OpenVPN terminates the tunnel and must re-establish the connection from scratch, creating a window where the device is unprotected. WireGuard also does not offer this always-on capability.
Lightway’s idle state model applies to several situations users encounter regularly:
- Switching from Wi-Fi to 4G/5G mobile data during an active session
- Stepping in and out of an elevator where the signal momentarily drops
- Waking a device from sleep mode
- Deactivating and reactivating airplane mode
We observed that in the last two scenarios, reconnection is effectively imperceptible. The VPN session is active again before the user has finished the action that triggered the interruption.
2.4 Strong, modern security: AES-256-GCM and ChaCha20
Lightway’s security architecture is built on five distinct layers, each addressing a different threat surface. Speed and architecture are only meaningful when backed by verified cryptographic foundations.
- wolfSSL cryptographic library: The underlying library is certified to FIPS 140-2 standards. This means its cryptographic modules have been independently tested and approved for use in U.S. government systems. This provides a concrete, verifiable credential that goes beyond a general reputation for reliability.
- AES-256-GCM encryption: The same cipher standard used by the NSA to protect classified data. It provides strong resistance to brute-force attacks across all data passing through the VPN tunnel.
- ChaCha20-Poly1305: A second cipher, optimized for mobile devices and hardware with lower processing capability. No other major VPN protocol currently supports both AES-256-GCM and ChaCha20-Poly1305 simultaneously, giving Lightway flexibility across device types.
- Perfect Forward Secrecy (PFS): Each session uses its own independent, temporary encryption key. If a server’s private key were ever compromised, an attacker could not use it to decrypt data from past sessions. Every session is cryptographically self-contained.
- Dynamic encryption keys: Encryption keys are rotated during an active connection, preventing an attacker who gains partial access from decrypting the full session.
ExpressVPN also ships a kill switch and DNS leak protection alongside Lightway as additional safety layers, ensuring the device does not revert to unprotected traffic if the VPN drops unexpectedly.
2.5 Open-source and independently audited (4 audits)
Lightway’s core codebase is open-source and publicly available on GitHub (https://github.com/expressvpn/lightway-core). Any security researcher or developer can inspect it, test it, or build on top of it. ExpressVPN also maintains a bug bounty program that rewards independent researchers who identify security vulnerabilities, creating an active external incentive for ongoing review beyond formal audits.
Since its launch, Lightway has completed four independent security audits:
- Cure53 (2021): Conducted when Lightway was first open-sourced. Confirmed the protocol’s security architecture and foundational design.
- Cure53 (2022): A follow-up reconfirmation audit, verifying no regressions had been introduced between releases.
- Cure53 (2024): Commissioned after the complete reimplementation in Rust. Assessed the new codebase from scratch under updated threat assumptions.
- Praetorian (2024): A second independent firm audited the Rust implementation in parallel with the Cure53 2024 assessment.
All four audits confirmed that Lightway is securely built. Two separate firms, four engagements, across three years.
Why an “audit” matters
A third-party audit is not a certificate of good intentions. It is a professional stress test. When a firm like Cure53 or Praetorian audits Lightway, their researchers actively attempt to break it. They hunt for flaws, vulnerabilities, and logical errors in the code before attackers can find them.
The fact that four separate assessments found no significant issues means the protocol has been tested under adversarial conditions and held up. For the user, an audit is the difference between a company saying their product is secure and providing external, third-party proof that it is.
2.6 Battery efficiency and device performance
Lightway’s small codebase means it consumes significantly less processing power than heavier protocols like OpenVPN. Less processing power translates directly into less battery drain.
During extended mobile sessions, we observe a noticeably smaller battery impact when running Lightway compared to OpenVPN on the same device and connection.
The ChaCha20-Poly1305 cipher contributes specifically to mobile performance. ChaCha20 is designed to deliver high-speed encryption on processors that lack hardware acceleration for AES, which covers most smartphones.
Users can switch explicitly to ChaCha20 in the advanced protocol options within the ExpressVPN app if they want to prioritize battery life on mobile.
The Rust reimplementation brings further efficiency gains over the previous C-based version. ExpressVPN has indicated that improvements will continue as the Rust codebase matures across platforms.
3. Lightway in Rust: A complete protocol overhaul
In 2024, ExpressVPN completed a total reimplementation of Lightway in the Rust programming language. This was not a patch or an incremental update. The entire codebase was rebuilt from the ground up. The result is referred to as Lightway 2.0, and it remains open-source and publicly available on GitHub.
Two new audits (Cure53 and Praetorian, both in 2024) were commissioned specifically to evaluate the Rust-based implementation.
3.1 Why ExpressVPN moved from C to Rust
The original version of Lightway was written in C, a language that offers strong performance but places the full responsibility for memory management on the programmer. In C, a specific category of programming errors (buffer overflows, use-after-free bugs, null pointer dereferences) can create exploitable memory safety vulnerabilities.
These are among the most commonly used attack vectors in deployed software across the security industry.
Rust eliminates this category of vulnerability by design. The Rust compiler enforces memory safety rules at compile time. Code that would produce a memory safety problem in C simply cannot compile in Rust. The attack vector is removed at the language level, not mitigated after the fact by runtime checks or developer discipline.
The practical benefits of the Rust reimplementation for Lightway users include:
- Eliminated memory vulnerability class: An entire category of attack vectors that existed in C-based code is structurally absent from the Rust version of Lightway.
- More expressive, leaner codebase: Rust enables cleaner code with fewer lines needed to express the same logic, keeping the protocol compact and reducing overall complexity.
- Faster iteration on new features: Modern architecture makes it substantially easier to implement and validate new capabilities, as demonstrated by the development of Lightway Turbo.
- Industry-level openness: ExpressVPN has made Lightway 2.0 available for any VPN provider to adopt, positioning the Rust implementation as a potential new protocol standard for the broader industry.
Rust is not a new or experimental language. It has matured into one of the most widely used languages among developers building high-performance systems, valued precisely for the memory safety guarantees it provides by default.
3.2 Lightway Turbo: Multi-lane tunneling for faster speeds
Lightway Turbo is a toggle within the ExpressVPN application that activates multi-lane tunneling. In standard operation, a VPN connection routes data through a single stream between the device and the server. Multi-lane tunneling opens multiple simultaneous data streams through the tunnel at the same time, allowing more data to be transmitted in parallel rather than sequentially.
The practical outcome is higher download and upload throughput, particularly on high-bandwidth connections where a single stream would otherwise limit the total data rate. Lightway Turbo is currently available in the ExpressVPN Windows application. Support for additional platforms is in active development.
This feature is a direct product of the Rust architecture. The cleaner, more expressive codebase made it substantially easier to build, test, and deploy. Users on Windows can enable Lightway Turbo in the Protocol settings tab after selecting Lightway UDP.
4. Post-quantum protection: Future-proofing your data
Quantum computing introduces a specific threat to modern encryption. A powerful quantum computer could eventually break the mathematical foundations of current encryption algorithms, including RSA and elliptic-curve cryptography. For most users, this threat sounds remote because large-scale quantum computers do not yet exist at commercial capability.
The immediate risk, however, is not waiting for that future. Security researchers have documented a tactic known as “harvest now, decrypt later”: an attacker collects encrypted data today, stores it, and waits until quantum computing capability advances enough to decrypt it retrospectively.
For data with long-term sensitivity (such as financial records, legal communications, and medical information), the harvesting phase is already happening now.
Lightway addresses this through post-quantum protection integrated at the protocol level. The current implementation uses ML-KEM (Module Lattice Key Encapsulation Mechanism), the algorithm selected by the National Institute of Standards and Technology (NIST) as its standard for post-quantum key exchange.
Here is what this means for your daily VPN usage:
- The ML-KEM standard: It uses complex mathematical problems designed specifically to resist attacks from both classical and quantum computers.
- Default activation: You do not need to flip any switches in the settings. Post-quantum protection is enabled automatically on every Lightway connection.
- Dual-threat defense: Your data remains completely secure against today’s conventional computers and tomorrow’s quantum systems simultaneously.
This is not a feature on a roadmap. Post-quantum protection is active in every Lightway connection right now.
5. Lightway vs. WireGuard vs. OpenVPN: Head-to-head comparison
To assess where Lightway stands, a direct comparison with the two other most widely used protocols is necessary. We evaluate these protocols based on raw speed and everyday usability.
First, let’s look at the actual throughput performance. We ran sustained throughput tests across three server distances from Vietnam, using our own test environment. The results clearly demonstrate Lightway’s edge in raw speed:
| Protocol | Local (Vietnam) | Nearby (Singapore) | Long-distance (US) |
|---|---|---|---|
| Lightway UDP | 483.94 Mbps | 484.20 Mbps | 423.62 Mbps |
| WireGuard | 21.69 Mbps | 433.75 Mbps | 384.92 Mbps |
| OpenVPN UDP | 22.53 Mbps | 25.77 Mbps | 375.34 Mbps |
The data reveals a clear performance advantage for Lightway. It maintained a blazing fast speed of over 480 Mbps on local and nearby connections. It only experienced a minor drop when connecting across the globe to the US. While WireGuard performed well on international routing, it struggled unexpectedly on our local Vietnam servers. OpenVPN showed its age, failing to break 400 Mbps on any connection distance.
Beyond just speed, the underlying architecture and features differ significantly. The table below covers the factors most relevant to day-to-day performance and security.
| Feature | Lightway (ExpressVPN) | WireGuard (industry standard) | OpenVPN (the classic) |
|---|---|---|---|
| Speed | Excellent | Excellent | Good |
| Codebase | ~2,000 lines | ~4,000 lines | 70,000+ lines |
| Security | Excellent (AES-256-GCM + ChaCha20, audited) | Excellent (modern cryptography) | Excellent (AES-256, heavily vetted) |
| Connection time | Under 2 seconds | ~12 seconds | ~18 seconds |
| Stability / always-on | Excellent (idle, not terminated) | Very good | Good (drops on network change) |
| Battery use | Low | Very low | High |
| Post-quantum | Yes (ML-KEM, default) | No | No |
Lightway differentiates from WireGuard through several key features. These include its always-on idle connection model, post-quantum protection enabled by default via ML-KEM, and the Lightway Turbo multi-lane tunneling capability.
To summarize, here is when you should use each protocol:
- Use Lightway if: You use ExpressVPN and want the fastest possible speeds for 4K streaming or gaming. It is the best choice for everyday performance and future-proof quantum protection.
- Use WireGuard if: You use other major VPN providers like NordVPN or Surfshark. It provides excellent speeds and low battery consumption for standard browsing and media consumption.
- Use OpenVPN if: You are connected to a heavily restricted network, such as a school or workplace. It excels at bypassing complex firewalls and strict internet censorship, where newer protocols might fail.
6. Pros and cons of ExpressVPN Lightway
Lightway brings significant advantages but also has specific trade-offs. Here is a breakdown of what works well and what could be improved.
Pros
Ultra-fast connection speeds: The protocol establishes a secure tunnel in under two seconds. It consistently maintains high download and upload rates, which is ideal for data-heavy tasks.
Excellent battery efficiency: Its lean codebase requires significantly less processing power than older options. This design noticeably preserves battery life during extended sessions on smartphones and tablets.
Future-proof security: Lightway includes ML-KEM post-quantum cryptography by default. This advanced layer protects your current online activity against the threat of future quantum computing attacks.
Transparent open-source code: The core architecture is publicly available on GitHub for anyone to review. This openness allows independent researchers to verify its safety and report vulnerabilities.
Cons
Exclusive to ExpressVPN: You cannot install or configure Lightway on other VPN services. It is a proprietary tool locked entirely to the ExpressVPN ecosystem.
High subscription cost: To use this protocol, you must pay for an ExpressVPN account. This service generally operates at a much higher price point than competitors that use WireGuard.
Lacks native obfuscation: Unlike OpenVPN, Lightway does not inherently camouflage its traffic to look like regular web browsing. If you are on a highly restrictive network, you might face challenges bypassing deep packet inspection without additional app-level routing.
Lightway is the right choice for users who have selected ExpressVPN or are seriously evaluating it. Users who need a high-quality protocol across multiple VPN options, or who are working with a tighter budget, should evaluate WireGuard as an alternative.
7. How to use Lightway in your ExpressVPN app
The simplest approach is to leave the ExpressVPN protocol setting on “Automatic”. The app selects the most suitable protocol for current network conditions, and in most situations it will select Lightway. For users who want to confirm the selection or switch manually, the process is straightforward.
7.1 Step-by-step setup
Here is how to select Lightway manually in the ExpressVPN app:
- Open the ExpressVPN app on your device.
- Navigate to Profile.
- Go to the VPN Protocol tab.
- Select “Lightway – UDP” from the list.
On Windows, users can also enable Lightway Turbo for additional throughput. After selecting Lightway UDP, toggle on Lightway Turbo. This activates multi-lane tunneling and increases download and upload speeds on supported connections. Lightway Turbo is currently a Windows-only feature.
7.2 Lightway UDP vs. TCP: Which to choose?
Lightway offers two transport variants. The right choice depends on the network environment.
| Option | Best for |
| Lightway UDP | Almost everything: streaming, gaming, and daily browsing. Prioritizes speed. |
| Lightway TCP | Unstable networks, restrictive firewalls (such as at workplaces or schools), torrenting, and any transaction requiring confirmed packet delivery. Prioritizes reliability over raw speed. |
Our recommendation: Start with UDP. It is the default and delivers the best performance for the vast majority of use cases. Switch to TCP if you encounter repeated disconnections or cannot maintain a stable connection on a specific network. For over 99% of our usage, UDP performs without issue.
8. Why did ExpressVPN build Lightway instead of using WireGuard?
WireGuard is fast, modern, and open-source. This raises a natural question: why did ExpressVPN invest time and resources to build a protocol from scratch rather than adopting it? The decision reflects multiple strategic priorities beyond technical performance.
Total control and faster security response.
By owning the entire codebase, ExpressVPN can identify and patch security vulnerabilities immediately. There is no external development team to coordinate with, no public release cycle to wait for. If a vulnerability surfaces, ExpressVPN’s team can fix and deploy the patch across its network on its own timeline.
Deep integration for better performance.
Lightway can be optimized specifically for ExpressVPN’s server infrastructure and global network. This level of tuning is not possible with a generic third-party protocol. The result is better sustained performance and reliability compared to a standard WireGuard setup running on the same server hardware.
Addressing early WireGuard privacy concerns.
Early versions of WireGuard had a structural limitation: they required static IP address assignment, which created logging implications incompatible with a strict no-logs VPN model. By building Lightway independently, ExpressVPN could design the necessary privacy protections directly into the protocol from the start, rather than retrofitting them later.
Setting a broader industry standard.
ExpressVPN has open-sourced Lightway 2.0 and actively invited other VPN providers to adopt it. The goal extends beyond internal use: the company has positioned the Rust-based, post-quantum-ready implementation as a reference architecture for where VPN protocol development should go. Making Lightway available to the wider industry means external scrutiny, additional audit eyes, and the potential for community input that benefits all users.
ExpressVPN controls every layer of Lightway’s development. This ensures that security improvements, new features, and performance optimizations ship on its own schedule rather than depending on external decisions.
9. FAQ about Lightway protocol
What is the Lightway protocol?
Lightway is the exclusive VPN protocol developed entirely by ExpressVPN. It was designed from the ground up to be faster, more reliable, and more secure than older protocols. Currently rebuilt in Rust and featuring ML-KEM post-quantum protection by default, Lightway is ExpressVPN’s most advanced connection technology and the protocol it selects automatically in most conditions.
Is Lightway safe to use?
Yes. Lightway has passed four independent security audits across three years, conducted by Cure53 (2021, 2022, 2024) and Praetorian (2024).
Its cryptographic library (wolfSSL) is certified to FIPS 140-2 standards. The protocol supports AES-256-GCM, ChaCha20-Poly1305, and Perfect Forward Secrecy. Combined with ExpressVPN’s audited no-logs policy, Lightway is among the more rigorously verified protocols currently available from any VPN provider.
Is Lightway open source?
Yes. The core library of Lightway is open-source and publicly available on GitHub. Security researchers and developers can freely inspect the code, and ExpressVPN runs a bug bounty program that compensates those who responsibly disclose security issues.
What does it mean that Lightway was “audited”?
A security audit involves an independent firm contracted to examine the codebase. They do not merely confirm good intentions. Instead, they actively search for vulnerabilities before attackers can find them.
Lightway has completed four such audits: Cure53 in 2021 (initial open-source audit), Cure53 in 2022 (reconfirmation audit), Cure53 in 2024 (post-Rust reimplementation), and Praetorian in 2024 (second independent firm, also post-Rust). All four confirmed the protocol is securely built. Four assessments, two separate firms, over three years.
What is Lightway Turbo?
Lightway Turbo is a feature toggle within the ExpressVPN application that enables multi-lane tunneling. Instead of transmitting data through a single stream, Lightway Turbo runs multiple simultaneous data streams through the VPN tunnel, increasing overall download and upload throughput.
It is currently available in the ExpressVPN Windows app, with other platforms in active development. Users can activate it in the Protocol settings tab after selecting Lightway UDP.
Does Lightway work on routers?
Yes. Lightway is supported on compatible routers, including ExpressVPN’s Aircove router, which runs Lightway in Rust natively. Both Lightway TCP and Lightway UDP are available on router configurations, which allows an entire home or office network to route its traffic through Lightway without configuring each connected device individually.
Is Lightway better than NordVPN’s NordLynx?
Both are strong proprietary protocols. Lightway supports both TCP and UDP transport, uses both AES-256-GCM and ChaCha20-Poly1305 encryption, includes ML-KEM post-quantum protection by default, and has a fully open-source codebase on GitHub.
NordLynx supports only UDP, uses ChaCha20, does not include post-quantum protection, and its implementation is proprietary (based on WireGuard, but the NordLynx-specific layer is closed-source).
For raw speed and baseline security in typical use, both protocols perform comparably across most real-world conditions. The meaningful differences are in protocol flexibility, transparency, and post-quantum readiness.
Do any other VPNs use Lightway?
Although ExpressVPN has open-sourced the core codebase and actively invited other VPN providers to adopt it, no other major VPN service currently uses Lightway. As of 2026, it remains entirely exclusive to the ExpressVPN ecosystem. To use this protocol, you must have an active ExpressVPN subscription.
10. Conclusion
Lightway has moved well beyond its original description as a fast, lightweight protocol. As of 2026, it is a complete security platform. It is rebuilt in Rust for structural memory safety and equipped with ML-KEM post-quantum protection by default. It also features Lightway Turbo for multi-lane throughput gains.
Four independent security audits provide concrete evidence for its security claims. These were conducted by two separate firms across three years, ensuring they are not just marketing assertions.
For users evaluating ExpressVPN, Lightway is the most technically differentiated aspect of the service. It offers a unique combination of benefits that are not replicated by any other mainstream VPN protocol:
- Sub-2-second connection times.
- An always-on idle state model.
- Dual AES-256-GCM and ChaCha20-Poly1305 cipher support.
- Post-quantum protection enabled by default.
The open-source codebase and active bug bounty program add a layer of external accountability. This strengthens rather than replaces the internal security claims.
At Safelyo, we consider Lightway’s continued development a credible signal that ExpressVPN is investing in long-term infrastructure. To see how ExpressVPN and Lightway compare to other top-tier VPN services, visit our guide to the best VPN services. You can also explore our full VPN Guides category for more in-depth security coverage.
