Jump to content
Not connected, Your IP: 18.189.185.63
ProphetPX

ExpressVPN has invented their own new VPN protocol called "LightWay". How does AirVPN compare to their new one?

Recommended Posts

Title.  This article basically is not well-written, but i wondered if there were any experts out there who would be willing to (scholastically?) illustrate or compare the differences wbetween what AirVPN uses (OpenVPN) and the new VPN invention protocol by ExpressVPN called "LightWay" ??

https://www.howtogeek.com/747033/meet-lightway-a-speedy-open-source-vpn-protocol-available-now/

* FOR THE RECORD i am an extremely happy (and now year-long) customer of AirVPN and i will never jump ship.  I have never been a customer of ExpressVPN nor do i care for them.   I LOVE AirVPN!!!!  I just wanted better (smarter) insight as to why they claim their new protocol is "better"?? Thanks for reading.

 

Share this post


Link to post
Posted ... (edited)

Oy vey. First things first: I sigh every time I see a brand. new. thing. that's supposed to be hyped. Parts of commentary will be overly negative just for this reason.

I will start with howtogeek

In this article they have FOUR referral links to ExpressVPN. Considering ExpressVPN's ("eVPN" for short later on) business strategy, it's not surprising but it is an indicator of a conflict of interest. Two more links to their own article's to "choose a VPN", ExpressVPN pays this outlet to be on top, clearly. This is reflected in the price.

Protocol's promises

I do not see a technical explanation. Red flag. They are targetting an average Joe with marketing, not catering to advanced audience with technical details. Hence all the statements below are just ones we're supposed to believe.
Quote

According to ExpressVPN, Lightway connects more than 2.5x faster than other VPN protocols. This is especially useful if you use a VPN on your mobile device, as you won’t need to waste time waiting for the VPN to get going.

OpenVPN3 includes a new driver that's virtually instant. There's the open source 3rd party OpenVPN app for Android (iirc "OpenVPN for Android") that allows you to enable the new driver in app's settings. Try it out with AirVPN and see the difference to the old method.
I've not used WireGuard myself but I suppose it's as good as anything can get, especially on a Linux machine (Android?) where it's inside the kernel.
The goal to be fast on mobile is true, however that's less to do with a protocol and more about the software client. On mobile you'd want to suspend and resume (reconnect) as quickly as possible to conserve battery power and to allow quick wake ups (especially to fetch notifications). I suppose an improper setup across the stack will cause issues everywhere, since modern phones rely on TCP keep-alives and open connections to get push notifications and updates. Break that and you get delayed updates and battery power problems. I don't know what's the current state of this and I doubt they've thoroughly tested and addressed this concern. Read this as: no better than the default approach.
Quote
As far as reliability, the company says that with its new protocol, connections are 40 percent more reliable. This should significantly reduce the number of drops, which is especially useful on mobile when your connection is in a constant state of flux due to differences in cellular coverage.
You'd really need a definition of "reliability" here. I know on a desktop computer, OpenVPN does handle intermittent drops quite well: my connection completely drops every now and then - while connected these cause less issues than a direction connection in a game I play.
Further, OpenVPN does support "floating" clients, those changing IPs, at a protocol level. Whether it's actually enabled is a valid question towards your provider and config.
A good example will be Google's QUIC aka HTTP/3 that will be run over UDP (that's why 443/udp should work without ISP throttling already) and support clients with changing IPs natively. If anyone, they've made the most considerations about protocol features and quality.

There really isn't much technical info to talk about so just a few comments about their blog post.
Quote
We are pleased to announce that Lightway’s source code has been published
There. However there's no commit history (code changes). This should raise an eyebrow. Either they will never update it again in this place (has happened before with other companies) or they don't develop using git (doubtful). Otherwise I see no reason to scrub the change history; this means this code repository is separate from their actual working project and makes it more likely to be abandoned, hence qualifying it to be yet more of a marketing stunt. Time will tell. To be honest, they do show some love to their other repositories.
The license is good.
Quote
Lightway has also recently been assessed by cybersecurity firm Cure53, which conducted a penetration test and a source-code audit to confirm the strength of the protocol’s security.
The security audit is fair all along. However I did not see it testing this specifically as a network protocol. Especially the encryption part. As a verification for my statement (from the audit PDF):
Quote
EXP-04-012 Server: DoS via spoofed packets bouncing between servers (High)
Note:  While this issue was technically deemed to be out of scope for the library audit
According to this only the code was part of the audit agreement?

Also the audit mentions how the server/client they received binaries that had differing library versions. This would point to a lack of a central build system or a discrepancy in library versions there. Not optimal.

The code

Obviously I'm not gonna try to audit nor understand anything. At a quick glance:
  • Buffer bloat. The never-ending topic in networking, that's just getting neglected as of late. Setting it to 15MB is just welcoming overloading and lag for clients. There's no easy answer but this ain't it.
  • The protocol may be fast to connect but it isn't lightweight. Still considerable overhead and I'd argue (don't have hard numbers) it is heavier than OpenVPN/Wireguard.
  • Also due to protocol overhead this piece: internal MTU currently hardcoded to 1350. This is still a hell hole of a topic for OpenVPN too, but this proves OpenVPN should have far less overhead if configured normally (not necessarily optimally).
  • Only IPv4 support. While they may eventually tunnel IPv6 inside IPv4 and other tricks, I do not see any real consideration in the source code to suggest they even planned for real to support IPv6. This is supported by the hardcoded MTU since IPv6 has MTU path discovery (automatic configuration in other words). It's 2021 and still no IPv6 in sight.
  • I do not see how it should be faster than OpenVPN in terms of CPU overhead. Each packet read/write is probably still doing a roundtrip through kernel/userspace. There's pretty much no escape.
My overall impression: they do not have a hardcore networking guy on the team. It doesn't mean the protocol will remain like this forever, for an in-house technology they can improve in whatever direction they like.

My Verdict:

Nothing special at all about it. Yet more marketing buzz. OpenVPN3 but especially Wireguard should be considered, unless there were specifically cross-platform considerations in their case.
Though did I not drill enough into you that you end up paying for marketing?
Quote
Title: "Nokia phones choose ExpressVPN and Spotify as must-have apps"
blog post
No, they chose a paid agreement with you. ExpressVPN will pay HMD Global (today's "Nokia" smartphone manufacturer) to preinstall their app on Android phones. I don't know about you, but I hate bloat. AirVPN's anti-marketing stance was a bonus with me.
------------
While my post might've sounded overly pessimistic, view it as nothing more but a hype and marketing-stopper. Especially until they deliver on technical details, considerations and benchmark results under different conditions (reproducible). I've little doubt that speed of connection is fast, but that's the easiest part. Especially if one used the 0-RTT TLS (idk) which is not without its security implications. Yet another rabbit hole.

PS:

Notice how this article of howtogeek has 2 very peculiar affiliate links:
(ExpressVPN) https://www.uxnzmft.com/?offer=3monthsfree&a_aid=howtogeek&data1=content&data2=221929
(TunnelBear) https://www.dpbolvw.net/click-3607085-14014041?sid=CT221929
That's going to great lengths to ensure the tracking of your marketing campaign works from start to finish (i.e. one can't bypass the referral link by just entering the domain name). The innate repulsion for mainstream stuff isn't a bad thing... :)
I know you asked just for a protocol comparison and it ended up being more than just that. But I will also add AirVPN are working on enabling Wireguard, their early estimate for an experimental enablement was September.
Edited ... by Stalinium
PS added

Share this post


Link to post
9 hours ago, Stalinium said:

I do not see a technical explanation. Red flag.


Yes, I don't see a documentation as well. Not entirely a red flag for me, as the code is there at least. But it seems like it's expected to work with ExpressVPN clients only. Remains to be seen, give it a few months.
 
9 hours ago, Stalinium said:

A good example will be Google's QUIC aka HTTP/3


Small remark: QUIC != HTTP/3. HTTP/3 is about to be QUIC's most prominent user, yes, but otherwise you can put other layer 7 protocols into it, e.g. DNS-over-QUIC.
 
9 hours ago, Stalinium said:

The license is good.


Unfortunately, it is bizarrely overshadowed by a CLA which grants ExpressVPN some interesting rights over your contributions. You can argue that OpenVPN does have that, too, but that exactly is a reason why AirVPN is not upstreaming OpenVPN3 changes as of now.

A VPN protocol that is only usable with one company, such as NordLynx, is not really a protocol, it's a way to bind you to the company, like a gift or "membership" card.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...