When we announced the launch of Lightway—the VPN protocol we built from the ground up—many users asked why we didn’t adopt WireGuard instead.
This response is understandable, given WireGuard’s strong reputation as a free and open-source VPN protocol, and one that we have a lot of respect for. In fact, we published a blog post in 2019 in support of WireGuard’s continued development and financially contributed to the effort as well, but also noted some factors that gave us pause in adopting it for ExpressVPN.
We take the privacy of our more than 3 million users seriously and have to be very considered in adopting any new tech. After carefully evaluating WireGuard, we determined it wasn’t a good fit for our users and decided to develop Lightway, with the hopes of creating a protocol that would have all of WireGuard’s benefits while also going further on other important fronts.
Here are the three main differences between Lightway and WireGuard, and what makes Lightway more suited for ExpressVPN’s users:
WireGuard is not primarily designed to be used for maintaining privacy. This makes WireGuard less suited off-the-shelf for a VPN platform like ours, which has a large number of users with a wide variety of reasons to use a VPN, including privacy protection.
WireGuard stores IP addresses on a server and does not assign them dynamically. Keys must be pre-shared among all endpoints and are linked to IP addresses. This makes it easy to identify a particular user’s traffic over time. The assumption with WireGuard is that you can trust the people you’re talking to, so you don’t need to hide your IP from them.
When using Lightway, users are assigned a least recently used (LRU) IP address. Although each user is assigned their own address, the address that the user sees is the same IP address everyone else on the same server sees. Any logs or system information will only ever show the replacement IP address.
2. TCP and UDP
Lightway supports both TCP and UDP, two types of internet protocols that offer different benefits. WireGuard doesn’t support TCP, and will not be able to without significant changes.
When using Lightway, most users should choose the faster UDP by default, but TCP is better able to connect on certain networks such as airport Wi-Fi and corporate networks. Some network providers even block UDP. Having both TCP and UDP allows our customers to establish a VPN connection and use Lightway in a wide range of scenarios.
WireGuard has made it clear that they are not going to focus on supporting obfuscation—that is, mask the fact that a VPN is being used to reroute their online traffic. This means it’s easy for censorship platforms or corporate firewalls to detect and block WireGuard.
Although it is possible to implement obfuscation with WireGuard, Lightway Core has a built-in plug-in infrastructure that would make adding such functionality trivial.
Lightway: Strong on all fronts
While it’s possible for services to add layers to WireGuard to achieve similar levels of privacy and other features, significant modifications are required—and often these modifications are proprietary. On the other hand, Lightway does not need any additional layers; it excels in all areas right out of the box.
Lightway’s core code is now open-source, so anyone can take a look at what’s gone into the protocol to make it strong on privacy and security. Cure53 has also independently audited Lightway for security—read the report here.
WireGuard is a registered trademark of Jason A. Donenfeld.
Share your thoughts on WireGuard vs. Lightway in the comments!