• Why we didn’t adopt WireGuard in the beginning
  • Why now? 
  • How we made WireGuard ready for ExpressVPN
  • Why this matters
  • Why Lightway still leads
  • One more tool for constrained environments
  • Getting started
  • Why we didn’t adopt WireGuard in the beginning
  • Why now? 
  • How we made WireGuard ready for ExpressVPN
  • Why this matters
  • Why Lightway still leads
  • One more tool for constrained environments
  • Getting started

Why ExpressVPN built post-quantum WireGuard (and shared the blueprint)

ExpressVPN news 06.08.2025 3 mins
Sonja Raath
Written by Sonja Raath
Why ExpressVPN built post-quantum WireGuard (and shared the blueprint)

WireGuard® is fast. It’s minimal. And it's become the VPN industry's default protocol for good reason. But many implementations leave critical gaps. No authentication, no key rotation, and no post-quantum security. That’s not good enough.

We built a version that closes those gaps. Our implementation adds post-quantum encryption, ephemeral credentials, dynamic IPs, and short-lived authentication tokens. It was engineered for privacy, not just speed. And now we’re sharing the blueprint, because the industry needs to get ahead of quantum computing.

Post-quantum WireGuard is ExpressVPN’s contribution to the future of private networking. Users deserve stronger defaults, and we’re giving them a scalable WireGuard implementation—and giving other providers a clear path to follow.

Why we didn’t adopt WireGuard in the beginning

When we first reviewed WireGuard in 2019, it was still early in development. It lacked formal audits and didn’t include elements like built-in authentication or key rotation. Each connection required a static internal IP, making correlation easier and session isolation weaker. For a global service focused on privacy at scale, those trade-offs weren’t appropriate.

We wanted something simpler, safer, and easier to deploy. So we built Lightway, a protocol designed from scratch to meet those needs.

Why now? 

WireGuard hasn't changed much. But the ecosystem around it has. The protocol is now widely used across the VPN industry. Despite growing concerns about quantum-era threats, most providers still don’t offer post-quantum protections. We decided that waiting any longer wasn’t an option.

So we built a scalable WireGuard implementation that meets our standards for privacy and scalability. Then we documented the approach in a detailed white paper so others can do the same. Because protecting users in the quantum era needs action now.

How we made WireGuard ready for ExpressVPN

Post-quantum security, by default

Every session starts with a post-quantum key exchange using hybrid ML-KEM, the algorithm selected by NIST for next-generation encryption. We didn’t rely on pre-shared keys or optional upgrades. These protections are built in from the start.

Ephemeral credentials, dynamic IPs

Every session uses short-lived keys and a fresh internal IP. That makes it significantly harder to correlate activity or track users over time. No persistent identifiers or reused credentials.

Real-time provisioning, no NAT

Our system provisions connection credentials dynamically, without relying on double NAT or static peer assignments. That improves scalability and keeps deployments clean.

Built-in authentication

WireGuard doesn’t include native user authentication, so we built a lightweight system that verifies users with short-lived access tokens. No manual key sharing, and no long-lived credentials.

Runs on TrustedServer

Like every ExpressVPN protocol, our WireGuard implementation runs on TrustedServer, our RAM-only server platform. That means all data is wiped on every reboot; nothing touches a hard drive.

Built to be shared

All of these protections were added without modifying the WireGuard protocol itself. Our architecture wraps around the base design, making it easier for other providers to adopt without having to fork or rebuild. The white paper walks through each step, with implementation guidance that’s agnostic to platform or provider.

Why this matters

The industry has embraced WireGuard. Most implementations are fast, but not future-proof. Post-quantum protections are practically non-existent in production deployments. That’s not sustainable.

We’ve solved those gaps and published the results. Now it’s on the rest of the industry to catch up. 

Why Lightway still leads

Lightway remains our default protocol. It was built in-house to deliver fast, resilient connections with complete control over every layer of the handshake. Nothing about that changes. What this launch does is give users more tools.

One more tool for constrained environments

We're also introducing new manual HTTPS proxy support via Lightway in TCP mode. This is aimed at advanced users running their own infrastructure, especially in environments where VPN traffic may be throttled or blocked. It’s not a replacement for a VPN, but it offers another option when conditions are tough.

Getting started

Our post-quantum WireGuard implementation is now available on iOS, Android, and Windows. macOS support is coming soon. Proxy support is also available for users who configure their own servers. Protocol selection can be done directly through the app.

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Sonja Raath

Sonja Raath

I like hashtags because they look like waffles, my puns intended, and watching videos of unusual animal friendships. Not necessarily in that order.

  • RELATED POST
  • More from the author
Your ExpressVPN subscription now comes with an upgraded eSIM coupon
Your ExpressVPN subscription now comes with an upgraded eSIM coupon
Katarina Glamoslija 20.08.2025 2 mins
What governments asked us for in the first half of 2025
What governments asked us for in the first half of 2025
Sonja Raath 08.08.2025 2 mins
ExpressVPN partners with League of Legends and Riot Games—here’s why gamers should be excited
ExpressVPN partners with League of Legends and Riot Games—here’s why gamers should be excited
James Laird 07.08.2025 2 mins
After a tip, ExpressVPN updates its Windows app to strengthen protections
After a tip, ExpressVPN updates its Windows app to strengthen protections
ExpressVPN 18.07.2025 3 mins
ExpressVPN now has servers in all 50 U.S. states—here’s what that means for your privacy
ExpressVPN now has servers in all 50 U.S. states—here’s what that means for your privacy
Katarina Glamoslija 10.07.2025 3 mins
What governments asked us for in the first half of 2025
What governments asked us for in the first half of 2025
Sonja Raath 08.08.2025 2 mins
Our time to shine: ExpressVPN at cybersecurity competitions
Our time to shine: ExpressVPN at cybersecurity competitions
Sonja Raath 07.04.2025 12 mins
How to block a website on any device or browser
How to block a website on any device or browser
Sonja Raath 03.03.2025 25 mins
How to remove the YTMP3.cc virus: Step-by-step guide
How to remove the YTMP3.cc virus: Step-by-step guide
Sonja Raath 24.02.2025 33 mins
Is DeepSeek safe? What happens to your data when you use it
Is DeepSeek safe? What happens to your data when you use it
Sonja Raath 29.01.2025 16 mins
As seas rise, at-risk countries lean on digital identities
As seas rise, at-risk countries lean on digital identities
Sonja Raath 23.01.2025 17 mins
Why you should think twice about using RedNote as a TikTok alternative
Why you should think twice about using RedNote as a TikTok alternative
Sonja Raath 15.01.2025 12 mins

ExpressVPN is proudly supporting

Get Started