Why ExpressVPN switched from C to Rust for Lightway’s code

We have just rolled out a new version of Lightway to users—one that sees our pioneering VPN protocol rewritten in Rust programming language. Here we wanted to take a moment to discuss some of the more technical reasons behind the changes we’ve made and dive into the benefits of Rust over C, the language we originally used for Lightway code.

A brief history of Lightway

We built Lightway from scratch in a quest to offer a VPN protocol that serves the needs of VPN users in a modern, mobile world—one that’s fast, secure, and reliable. Since launching Lightway five years ago, we’ve had it open-sourced and audited, as well as implementing key upgrades.

Why we now choose Rust

Since the very conception of Lightway, we’ve kept an eye on Rust. While it was already apparent that Rust had numerous benefits, it lacked raw performance—which was a dealbreaker for Lightway, as it needed to be able to support all kinds of devices, including lower-powered routers and budget phones.

However, over the past few years, Rust has stepped up in terms of performance, to the point where in many cases it beats C. We knew it was time to revisit the language and made the decision to switch, with the ultimate goal of improving users’ VPN experience.

Key differences with Rust

Rust checks for issues in the code at compile time rather than the run time. This removes common pain points:

• No segfaults: not possible because Rust allocates memory by default and won’t let you access memory that you shouldn’t be.
• No buffer overflows: buffer overflows enable attackers to exploit memory vulnerabilities by overrunning the memory buffer in the code. Rust protects against this by checking memory allocation and preventing errors being introduced.
• No need for pointers: pointers exist but are seldom used because there are better alternatives, and Rust takes a lot of contextual inferences by default. By comparison in C, you have to use pointers for everything, which makes the potential for introducing errors much more likely.
• No data races: Rust’s ownership system means two people can’t update the code simultaneously, preventing two threads from updating the data at the same time. It’s like having the conch in Lord of the Flies: only the person holding the conch can update the variables.
• Multi-threading becomes simple: trying to do multi-threading in C is incredibly difficult and comes with inherent risk. Rust enables us to do secure multi-threading without the necessary workarounds required by C. Rust refers to this as fearless concurrency.

Memory safety is integral to the language, and we can leverage secure usage of Rust unsafe blocks where we need to introduce flexibility. One example of where we’d need to do this would be to read the counter out of a network card. This contrasts with C, where memory unsafety is integral to the language; it’s designed to be like Assembly and stay out of the way of developers.

When Rust got low-level virtual machine (LLVM) back ends, it advanced the compiler to such a point that we could truly leverage the expressive language. We are now able to simplify our code and improve the performance of Lightway beyond the capabilities offered by raw C.

What are the benefits to Lightway?

Greater security: because of Rust’s memory safety, the code we produce within it is inherently safer than it could be if coded in C. Certain attack vectors and opportunities for human error simply cannot exist in Rust.

Higher performance capabilities: with simpler and more expressive code and less overhead, the new Rust codebase offers the potential for greater efficiency and bandwidth, meaning a faster VPN experience, and less power consumption. We’ve already observed up to two times the normal speeds on Aircove routers.

Ease of extension: a modern VPN requires a modern coding language, and the evolution of Rust makes it a logical next step for VPN protocols. It also makes improving the functionality and feature set of the VPN easier, and creates less bloat – future-proofing Lightway for decades to come.

Dual audited because we care about security—a lot

In order to demonstrate that the new Rust codebase was up to our stringent security standards, we commissioned two independent, side-by-side audits of the Rust codebase from Praetorian and Cure53. The auditors conducted a comprehensive analysis of the source code for Lightway in Rust. Both audits reaffirmed the strong security posture of Lightway’s new Rust codebase, and any findings have already been addressed and reassessed.

In Cure53’s audit of Lightway, testers noted that: 

• “The codebase made a generally strong impression, as dictated also by the functionality being minimalistic. This results in a clean and concise implementation in Rust. Rust’s memory safety features are effectively leveraged, contributing to a highly robust and stable library / application.” 
• “The strong overall security posture of the codebase is further demonstrated by the low count of exploitable vulnerabilities, with only a single DoS vulnerability identified.”

In Praetorian’s audit of Lightway, testers noted that:

• “ExpressVPN built the Lightway protocol on WolfSSL using strong cryptographic primitives. […] Those primitives effectively protected the encrypted traffic against replay, injection, tampering, and cache-timing attacks.”
• “The ExpressVPN security team was responsive to questions, roadblocks, and findings raised by Praetorian throughout the engagement. This responsiveness showed desire and commitment to improving ExpressVPN’s security posture.”

Will Lightway remain open source?

Definitely. We believe it’s the VPN protocol of the future and want everyone to adopt it as the go-to over other VPN protocols. Plus, making it available to everyone means anyone can look at the code and verify its security (or else be rewarded by our bug bounty program). 

What’s next for Lightway?

We’ll never sit still with Lightway. We’ll keep upgrading the Lightway protocol’s security, performance, and functionality to make it the gold standard of VPN protection. 

Looking ahead, we’ll be on the road and talking about Lightway’s developments at FOSSAsia and RustConfAsia. We look forward to sharing with conference attendees and will report back on our blog.