This guide will help you quickly set up a Lightway VPN server and client using the nightly builds.
- Linux system (x86_64, arm64, or riscv64)
- Root or sudo access
- The following packages:
jq,yq(for parsing server and client config.yaml files)apache2-utils(htpasswd for user authentication)iproute2iptables
Install dependencies on Debian/Ubuntu:
sudo apt-get update
sudo apt-get install jq apache2-utils iproute2 iptables
sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq- Linux, macOS, or Windows system
- Root or sudo access (required for tunnel device management on Linux/macOS)
- On Windows, Wintun
Download the server binary from the nightly releases page, or:
ARCH=$(uname -m); [[ "$ARCH" == "arm64" ]] && ARCH="aarch64"
curl -fL "https://github.com/expressvpn/lightway/releases/download/lightway-nightly/lightway-server-${ARCH}-unknown-linux-gnu" -o lightway-server
chmod +x lightway-servercurl -L -o server_start.sh https://raw.githubusercontent.com/expressvpn/lightway/main/samples/server_start.sh
chmod +x server_start.shCreate a password file for user authentication using htpasswd:
# Replace 'myuser' with your desired username
htpasswd -B -c lwpasswd myuserEnter the password when prompted. This creates a lwpasswd file with your username and securely hashed password.
To add additional users to the database, omit the -c flag:
# Add another user
htpasswd -B lwpasswd anotheruserYou need TLS certificates for the server. For testing, you can generate self-signed certificates:
# Create a directory for certificates
mkdir certs && cd certs
# Generate CA key and certificate
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crtYou'll be prompted for details (country, state, organization, etc.). Fill them in as appropriate.
# Generate server key and certificate
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256Use the example config from the repository:
curl -L -o server_config.yaml https://raw.githubusercontent.com/expressvpn/lightway/main/tests/server/server_config.yamlEdit the config to update the database (user_db) and certificate paths (server_cert and server_key)
Use the provided setup script to start the server:
sudo ./server_start.sh server_config.yaml- Create and configure the TUN interface
- Set up IP forwarding
- Configure NAT/SNAT rules
- Start the Lightway server
The server will now listen on port 27690 (or the port you configured).
Download the client for your platform from the nightly releases page.
Available platforms:
- Linux: x86_64, aarch64, riscv64
- macOS: x86_64 (Intel), aarch64 (Apple Silicon)
- Windows: x86_64, aarch64
After downloading, make it executable (Linux/macOS):
chmod +x lightway-clientOn Windows, you will need to download Wintun and place wintun.dll in the same directory as lightway-client.
Copy the ca.crt file from your server to the client machine.
Use the example config from the repository:
curl -L -o client_config.yaml https://raw.githubusercontent.com/expressvpn/lightway/main/tests/client/client_config.yamlEdit the config to update server, ca_cert, user, and password fields.
Run the client to establish a VPN connection to the server:
sudo ./lightway-client --config-file client_config.yaml