ytp-dl 0.6.4__tar.gz → 0.6.6__tar.gz

{ytp_dl-0.6.4 → ytp_dl-0.6.6}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: ytp-dl
-Version: 0.6.4
+Version: 0.6.6
 Summary: YouTube video downloader with Mullvad VPN integration and Flask API
 Home-page: https://github.com/yourusername/ytp-dl
 Author: dumgum82
@@ -33,39 +33,39 @@ Dynamic: summary
 
 # ytp-dl
 
-> A lightweight YouTube downloader with Mullvad VPN integration and HTTP API
+A lightweight YouTube downloader with Mullvad VPN integration and an HTTP API.
 
 [![PyPI version](https://img.shields.io/pypi/v/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Python Support](https://img.shields.io/pypi/pyversions/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![License](https://img.shields.io/pypi/l/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Downloads](https://img.shields.io/pypi/dm/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 
-**ytp-dl** is a privacy-focused YouTube downloader that automatically routes downloads through Mullvad VPN via an HTTP API.
+**ytp-dl** is a privacy-focused YouTube downloader that routes downloads through Mullvad VPN via an HTTP API.
 
 ---
 
-## ✨ Features
+## Features
 
-* 🔒 **Privacy First** — Automatically connects/disconnects Mullvad VPN per download
-* 🎥 **Smart Quality Selection** — Prefers 1080p H.264 + AAC (no transcoding needed)
-* 🎵 **Audio Downloads** — Extract audio as MP3
-* 🚀 **HTTP API** — Simple Flask-based API with concurrency controls
-* ⚡ **VPS Ready** — Includes automated installer script for Ubuntu
+* Privacy-first: connect/disconnect Mullvad per download
+* Smart quality selection: prefers 1080p H.264 + AAC (no transcoding)
+* Audio downloads: extract audio as MP3
+* HTTP API: simple Flask API with concurrency controls
+* VPS-ready: automated installer script for Ubuntu
 
 ---
 
-## 📦 Installation
+## Installation
 
 ```bash
-pip install ytp-dl==0.6.4 yt-dlp[default]
+pip install ytp-dl==0.6.5 yt-dlp[default]
 ```
 
-**Requirements:**
+Requirements:
 
-* Linux operating system (tested on Ubuntu 24.04/25.04)
-* [Mullvad CLI](https://mullvad.net/en/download/vpn/linux) installed and configured
-* FFmpeg (for handling audio + video)
-* Deno (system-wide, required by yt-dlp for modern YouTube extraction)
+* Linux (tested on Ubuntu 24.04/25.04)
+* Mullvad CLI installed and configured
+* FFmpeg (audio/video handling)
+* Deno (system-wide; required by yt-dlp for modern YouTube extraction)
 * Python 3.8+
 
 Notes:
@@ -74,29 +74,38 @@ Notes:
 
 ---
 
-## 🎯 Using Your VPS
+## Using your VPS
 
-Once your VPS is running, you can download videos using simple HTTP requests:
+Once your VPS is running, you can download videos using simple HTTP requests.
 
-### Download a Video (1080p MP4)
+### Download a video (1080p MP4)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}' \
+  --output video.mp4
 ```
 
-### Download Audio Only (MP3)
+### Download audio only (MP3)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}'   --output audio.mp3
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}' \
+  --output audio.mp3
 ```
 
-### Download at Specific Resolution
+### Download at a specific resolution
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}' \
+  --output video.mp4
 ```
 
-### Check Server Health
+### Check server health
 
 ```bash
 curl http://YOUR_VPS_IP:5000/healthz
@@ -124,7 +133,7 @@ response = requests.post(
         "resolution": 1080,
         "extension": "mp4"
     },
-    stream=True
+    stream=True,
 )
 
 if response.status_code == 200:
@@ -139,28 +148,29 @@ else:
 
 ---
 
-## ⚙️ Configuration
+## Configuration
 
-### Installation Script Variables
+### Installation script variables
 
-These environment variables configure the VPS installation (they can be overridden when running the script):
+These environment variables configure the VPS installation (you can override them when running the script).
 
 | Variable                 | Description                             | Default               |
 | ------------------------ | --------------------------------------- | --------------------- |
 | `PORT`                   | API server port                         | `5000`                |
 | `APP_DIR`                | Installation directory                  | `/opt/yt-dlp-mullvad` |
-| `MV_ACCOUNT`             | Mullvad account number                  | your mullvad id       |
+| `MV_ACCOUNT`             | Mullvad account number                  | (empty)               |
 | `YTPDL_MAX_CONCURRENT`   | Max simultaneous downloads (API cap)    | `1`                   |
 | `YTPDL_MULLVAD_LOCATION` | Mullvad relay location code (e.g. `us`) | `us`                  |
+| `GUNICORN_THREADS`       | Threads per Gunicorn worker             | `4`                   |
 
 Notes:
 
 * If `MV_ACCOUNT` is set, the installer attempts `mullvad account login <MV_ACCOUNT>` once.
 * If `MV_ACCOUNT` is left empty, the script skips login and assumes Mullvad is already configured.
 
-### Runtime Environment Variables
+### Runtime environment variables
 
-After installation, these variables control the API behavior. They are set in `/etc/default/ytp-dl-api` and can be edited manually:
+After installation, these are set in `/etc/default/ytp-dl-api` and can be edited manually.
 
 | Variable                 | Description                   | Default                    |
 | ------------------------ | ----------------------------- | -------------------------- |
@@ -177,50 +187,33 @@ sudo systemctl restart ytp-dl-api
 
 ---
 
-## 🔧 Managing Your VPS Service
-
-### View Service Status
+## Managing your VPS service
 
 ```bash
 sudo systemctl status ytp-dl-api
-```
-
-### View Logs
-
-```bash
 sudo journalctl -u ytp-dl-api -f
-```
-
-### Restart Service
-
-```bash
 sudo systemctl restart ytp-dl-api
-```
-
-### Stop/Start Service
-
-```bash
 sudo systemctl stop ytp-dl-api
 sudo systemctl start ytp-dl-api
 ```
 
 ---
 
-## 📋 API Reference
+## API reference
 
 ### POST `/api/download`
 
-**Request Body:**
+Request body:
 
 ```json
 {
   "url": "string (required)",
   "resolution": "integer (optional, default: 1080)",
-  "extension": "string (optional, 'mp4' or 'mp3')"
+  "extension": "string (optional, 'mp4', 'mp3', or 'best')"
 }
 ```
 
-**Response:**
+Response:
 
 * `200 OK` - File download stream
 * `400 Bad Request` - Missing or invalid URL
@@ -229,8 +222,6 @@ sudo systemctl start ytp-dl-api
 
 ### GET `/healthz`
 
-**Response:**
-
 ```json
 {
   "ok": true,
@@ -241,16 +232,22 @@ sudo systemctl start ytp-dl-api
 
 ---
 
-## 🖥️ VPS Deployment
+## VPS deployment
+
+### Why policy routing is included
+
+When Mullvad connects/disconnects, Linux routing can change in a way that breaks inbound TCP handshakes (clients see intermittent connection timeouts). The installer sets up a small policy-routing rule that forces replies sourced from your public VPS IP to use the public interface, keeping the API reachable even while Mullvad is cycling.
 
-**What it does:**
+### What the installer does
 
-* ✅ Installs Python, FFmpeg, and Mullvad CLI
-* ✅ Installs Deno system-wide (required by yt-dlp for modern YouTube extraction)
-* ✅ Creates virtualenv at `/opt/yt-dlp-mullvad/venv`
-* ✅ Installs `ytp-dl==0.6.4` + `yt-dlp[default]` into the virtualenv
-* ✅ Sets up systemd service on port 5000
-* ✅ Configures Gunicorn with gthread (threaded) workers
+* Installs Python, FFmpeg, Mullvad CLI, and Deno
+* Creates a virtualenv at `/opt/yt-dlp-mullvad/venv`
+* Installs `ytp-dl==0.6.5` + `yt-dlp[default]` + `gunicorn`
+* Installs a policy-routing oneshot service to keep the public API reachable
+* Sets up a systemd service on port 5000
+* Runs Gunicorn with `gthread` (threaded) workers
+
+Note: `gthread` is a built-in Gunicorn worker class (no extra Python dependency).
 
 ```bash
 #!/usr/bin/env bash
@@ -259,9 +256,10 @@ sudo systemctl start ytp-dl-api
 # What this does:
 #   - Installs Python, ffmpeg, Mullvad CLI
 #   - Installs Deno system-wide (JS runtime required for modern YouTube extraction via yt-dlp)
+#   - Configures policy routing so the public API stays reachable while Mullvad toggles
 #   - Creates a virtualenv at /opt/yt-dlp-mullvad/venv
-#   - Installs ytp-dl==0.6.4 + yt-dlp[default] + gunicorn + gevent in that venv
-#   - Creates a simple systemd service ytp-dl-api.service on port 5000
+#   - Installs ytp-dl==0.6.5 + yt-dlp[default] + gunicorn in that venv
+#   - Creates a systemd service ytp-dl-api.service on port 5000
 #
 # Mullvad connect/disconnect is handled per-job by downloader.py.
 
@@ -272,18 +270,33 @@ PORT="${PORT:-5000}"                           # API listen port
 APP_DIR="${APP_DIR:-/opt/yt-dlp-mullvad}"      # app/venv root
 VENV_DIR="${VENV_DIR:-${APP_DIR}/venv}"        # python venv
 
-MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (put number after -)
+MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (optional)
 YTPDL_MAX_CONCURRENT="${YTPDL_MAX_CONCURRENT:-1}"        # API concurrency cap
 YTPDL_MULLVAD_LOCATION="${YTPDL_MULLVAD_LOCATION:-us}"   # default Mullvad relay hint
-GUNICORN_THREADS="${GUNICORN_THREADS:-4}"             # keep API responsive on tiny VPS
+GUNICORN_THREADS="${GUNICORN_THREADS:-4}"               # keep API responsive on small VPS
 ### -------------------------------------------------------------------------
 
 [[ "${EUID}" -eq 0 ]] || { echo "Please run as root"; exit 1; }
 export DEBIAN_FRONTEND=noninteractive
 
+echo "==> 0) Capture public routing (pre-VPN)"
+PUB_DEV="$(ip route show default | awk '/default/ {print $5; exit}')"
+PUB_GW="$(ip route show default | awk '/default/ {print $3; exit}')"
+PUB_IP="$(ip -4 addr show dev "${PUB_DEV}" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n1)"
+
+if [[ -z "${PUB_DEV}" || -z "${PUB_GW}" || -z "${PUB_IP}" ]]; then
+  echo "Failed to detect public routing (PUB_DEV/PUB_GW/PUB_IP)."
+  echo "PUB_DEV=${PUB_DEV} PUB_GW=${PUB_GW} PUB_IP=${PUB_IP}"
+  exit 1
+fi
+
+echo "Public dev: ${PUB_DEV} | gw: ${PUB_GW} | ip: ${PUB_IP}"
+
 echo "==> 1) Base packages & Mullvad CLI"
 apt-get update
-apt-get install -yq --no-install-recommends   python3-venv python3-pip curl ffmpeg ca-certificates unzip
+apt-get install -yq --no-install-recommends \
+  python3-venv python3-pip curl ffmpeg ca-certificates unzip \
+  iproute2 iptables
 
 if ! command -v mullvad >/dev/null 2>&1; then
   curl -fsSLo /tmp/mullvad.deb https://mullvad.net/download/app/deb/latest/
@@ -302,6 +315,72 @@ mullvad status || true
 mullvad lockdown-mode set off || true
 mullvad lan set allow || true
 
+echo "==> 1.1) Policy routing: keep replies from ${PUB_IP} on ${PUB_DEV}"
+# Loose reverse-path filtering avoids drops when the default route changes under VPN.
+tee /etc/sysctl.d/99-ytpdl-policy-routing.conf >/dev/null <<EOF
+net.ipv4.conf.all.rp_filter=2
+net.ipv4.conf.default.rp_filter=2
+net.ipv4.conf.${PUB_DEV}.rp_filter=2
+EOF
+sysctl --system >/dev/null
+
+# Persist the detected public route info for re-apply at boot.
+tee /etc/default/ytpdl-policy-routing >/dev/null <<EOF
+PUB_DEV=${PUB_DEV}
+PUB_GW=${PUB_GW}
+PUB_IP=${PUB_IP}
+EOF
+
+# Add a routing table id if it doesn't already exist.
+grep -qE '^100\s+ytpdl-public$' /etc/iproute2/rt_tables || echo '100 ytpdl-public' >> /etc/iproute2/rt_tables
+
+# Idempotent apply script.
+tee /usr/local/sbin/ytpdl-policy-routing.sh >/dev/null <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+source /etc/default/ytpdl-policy-routing
+
+TABLE_ID="100"
+TABLE_NAME="ytpdl-public"
+PRIO="11000"
+
+# Ensure table has the public default route.
+ip route replace default via "${PUB_GW}" dev "${PUB_DEV}" table "${TABLE_NAME}"
+
+# Ensure rule exists (replace is not supported for rules).
+if ip rule show | grep -qE "^${PRIO}:.*from ${PUB_IP}/32 lookup ${TABLE_NAME}\b"; then
+  :
+else
+  # remove any stale rule at this priority
+  while ip rule show | grep -qE "^${PRIO}:"; do
+    ip rule del priority "${PRIO}" || true
+  done
+  ip rule add priority "${PRIO}" from "${PUB_IP}/32" table "${TABLE_NAME}"
+fi
+
+ip route flush cache || true
+EOF
+chmod +x /usr/local/sbin/ytpdl-policy-routing.sh
+
+tee /etc/systemd/system/ytpdl-policy-routing.service >/dev/null <<EOF
+[Unit]
+Description=ytp-dl policy routing (keep public API reachable)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/ytpdl-policy-routing.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now ytpdl-policy-routing.service
+
 echo "==> 1.5) Install Deno (system-wide, for yt-dlp YouTube extraction)"
 # Install into /usr/local/bin/deno so systemd PATH can see it.
 # Official installer supports system-wide install via DENO_INSTALL=/usr/local.
@@ -315,7 +394,7 @@ mkdir -p "${APP_DIR}"
 python3 -m venv "${VENV_DIR}"
 source "${VENV_DIR}/bin/activate"
 pip install --upgrade pip
-pip install "ytp-dl==0.6.4" "yt-dlp[default]" gunicorn
+pip install "ytp-dl==0.6.5" "yt-dlp[default]" gunicorn
 deactivate
 
 echo "==> 3) API environment file (/etc/default/ytp-dl-api)"
@@ -329,8 +408,9 @@ echo "==> 4) Gunicorn systemd service (ytp-dl-api.service on :${PORT})"
 tee /etc/systemd/system/ytp-dl-api.service >/dev/null <<EOF
 [Unit]
 Description=Gunicorn for ytp-dl Mullvad API (minimal)
-After=network-online.target
+After=network-online.target ytpdl-policy-routing.service
 Wants=network-online.target
+Requires=ytpdl-policy-routing.service
 
 [Service]
 User=root
@@ -339,7 +419,9 @@ EnvironmentFile=/etc/default/ytp-dl-api
 Environment=VIRTUAL_ENV=${VENV_DIR}
 Environment=PATH=${VENV_DIR}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
 
-ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS}   --timeout 0 --graceful-timeout 15 --keep-alive 20   --bind 0.0.0.0:${PORT} scripts.api:app
+ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS} \
+  --timeout 0 --graceful-timeout 15 --keep-alive 20 \
+  --bind 0.0.0.0:${PORT} scripts.api:app
 
 Restart=always
 RestartSec=3
@@ -368,5 +450,6 @@ echo "========================================="
 echo "Installation complete!"
 echo "API running on port ${PORT}"
 echo "Test from outside: curl http://YOUR_VPS_IP:${PORT}/healthz"
+echo "If you use UFW: sudo ufw allow ${PORT}/tcp"
 echo "========================================="
 ```

{ytp_dl-0.6.4 → ytp_dl-0.6.6}/README.md

@@ -1,38 +1,38 @@
 # ytp-dl
 
-> A lightweight YouTube downloader with Mullvad VPN integration and HTTP API
+A lightweight YouTube downloader with Mullvad VPN integration and an HTTP API.
 
 [![PyPI version](https://img.shields.io/pypi/v/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Python Support](https://img.shields.io/pypi/pyversions/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![License](https://img.shields.io/pypi/l/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Downloads](https://img.shields.io/pypi/dm/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 
-**ytp-dl** is a privacy-focused YouTube downloader that automatically routes downloads through Mullvad VPN via an HTTP API.
+**ytp-dl** is a privacy-focused YouTube downloader that routes downloads through Mullvad VPN via an HTTP API.
 
 ---
 
-## ✨ Features
+## Features
 
-* 🔒 **Privacy First** — Automatically connects/disconnects Mullvad VPN per download
-* 🎥 **Smart Quality Selection** — Prefers 1080p H.264 + AAC (no transcoding needed)
-* 🎵 **Audio Downloads** — Extract audio as MP3
-* 🚀 **HTTP API** — Simple Flask-based API with concurrency controls
-* ⚡ **VPS Ready** — Includes automated installer script for Ubuntu
+* Privacy-first: connect/disconnect Mullvad per download
+* Smart quality selection: prefers 1080p H.264 + AAC (no transcoding)
+* Audio downloads: extract audio as MP3
+* HTTP API: simple Flask API with concurrency controls
+* VPS-ready: automated installer script for Ubuntu
 
 ---
 
-## 📦 Installation
+## Installation
 
 ```bash
-pip install ytp-dl==0.6.4 yt-dlp[default]
+pip install ytp-dl==0.6.5 yt-dlp[default]
 ```
 
-**Requirements:**
+Requirements:
 
-* Linux operating system (tested on Ubuntu 24.04/25.04)
-* [Mullvad CLI](https://mullvad.net/en/download/vpn/linux) installed and configured
-* FFmpeg (for handling audio + video)
-* Deno (system-wide, required by yt-dlp for modern YouTube extraction)
+* Linux (tested on Ubuntu 24.04/25.04)
+* Mullvad CLI installed and configured
+* FFmpeg (audio/video handling)
+* Deno (system-wide; required by yt-dlp for modern YouTube extraction)
 * Python 3.8+
 
 Notes:
@@ -41,29 +41,38 @@ Notes:
 
 ---
 
-## 🎯 Using Your VPS
+## Using your VPS
 
-Once your VPS is running, you can download videos using simple HTTP requests:
+Once your VPS is running, you can download videos using simple HTTP requests.
 
-### Download a Video (1080p MP4)
+### Download a video (1080p MP4)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}' \
+  --output video.mp4
 ```
 
-### Download Audio Only (MP3)
+### Download audio only (MP3)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}'   --output audio.mp3
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}' \
+  --output audio.mp3
 ```
 
-### Download at Specific Resolution
+### Download at a specific resolution
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}' \
+  --output video.mp4
 ```
 
-### Check Server Health
+### Check server health
 
 ```bash
 curl http://YOUR_VPS_IP:5000/healthz
@@ -91,7 +100,7 @@ response = requests.post(
         "resolution": 1080,
         "extension": "mp4"
     },
-    stream=True
+    stream=True,
 )
 
 if response.status_code == 200:
@@ -106,28 +115,29 @@ else:
 
 ---
 
-## ⚙️ Configuration
+## Configuration
 
-### Installation Script Variables
+### Installation script variables
 
-These environment variables configure the VPS installation (they can be overridden when running the script):
+These environment variables configure the VPS installation (you can override them when running the script).
 
 | Variable                 | Description                             | Default               |
 | ------------------------ | --------------------------------------- | --------------------- |
 | `PORT`                   | API server port                         | `5000`                |
 | `APP_DIR`                | Installation directory                  | `/opt/yt-dlp-mullvad` |
-| `MV_ACCOUNT`             | Mullvad account number                  | your mullvad id       |
+| `MV_ACCOUNT`             | Mullvad account number                  | (empty)               |
 | `YTPDL_MAX_CONCURRENT`   | Max simultaneous downloads (API cap)    | `1`                   |
 | `YTPDL_MULLVAD_LOCATION` | Mullvad relay location code (e.g. `us`) | `us`                  |
+| `GUNICORN_THREADS`       | Threads per Gunicorn worker             | `4`                   |
 
 Notes:
 
 * If `MV_ACCOUNT` is set, the installer attempts `mullvad account login <MV_ACCOUNT>` once.
 * If `MV_ACCOUNT` is left empty, the script skips login and assumes Mullvad is already configured.
 
-### Runtime Environment Variables
+### Runtime environment variables
 
-After installation, these variables control the API behavior. They are set in `/etc/default/ytp-dl-api` and can be edited manually:
+After installation, these are set in `/etc/default/ytp-dl-api` and can be edited manually.
 
 | Variable                 | Description                   | Default                    |
 | ------------------------ | ----------------------------- | -------------------------- |
@@ -144,50 +154,33 @@ sudo systemctl restart ytp-dl-api
 
 ---
 
-## 🔧 Managing Your VPS Service
-
-### View Service Status
+## Managing your VPS service
 
 ```bash
 sudo systemctl status ytp-dl-api
-```
-
-### View Logs
-
-```bash
 sudo journalctl -u ytp-dl-api -f
-```
-
-### Restart Service
-
-```bash
 sudo systemctl restart ytp-dl-api
-```
-
-### Stop/Start Service
-
-```bash
 sudo systemctl stop ytp-dl-api
 sudo systemctl start ytp-dl-api
 ```
 
 ---
 
-## 📋 API Reference
+## API reference
 
 ### POST `/api/download`
 
-**Request Body:**
+Request body:
 
 ```json
 {
   "url": "string (required)",
   "resolution": "integer (optional, default: 1080)",
-  "extension": "string (optional, 'mp4' or 'mp3')"
+  "extension": "string (optional, 'mp4', 'mp3', or 'best')"
 }
 ```
 
-**Response:**
+Response:
 
 * `200 OK` - File download stream
 * `400 Bad Request` - Missing or invalid URL
@@ -196,8 +189,6 @@ sudo systemctl start ytp-dl-api
 
 ### GET `/healthz`
 
-**Response:**
-
 ```json
 {
   "ok": true,
@@ -208,16 +199,22 @@ sudo systemctl start ytp-dl-api
 
 ---
 
-## 🖥️ VPS Deployment
+## VPS deployment
+
+### Why policy routing is included
+
+When Mullvad connects/disconnects, Linux routing can change in a way that breaks inbound TCP handshakes (clients see intermittent connection timeouts). The installer sets up a small policy-routing rule that forces replies sourced from your public VPS IP to use the public interface, keeping the API reachable even while Mullvad is cycling.
 
-**What it does:**
+### What the installer does
 
-* ✅ Installs Python, FFmpeg, and Mullvad CLI
-* ✅ Installs Deno system-wide (required by yt-dlp for modern YouTube extraction)
-* ✅ Creates virtualenv at `/opt/yt-dlp-mullvad/venv`
-* ✅ Installs `ytp-dl==0.6.4` + `yt-dlp[default]` into the virtualenv
-* ✅ Sets up systemd service on port 5000
-* ✅ Configures Gunicorn with gthread (threaded) workers
+* Installs Python, FFmpeg, Mullvad CLI, and Deno
+* Creates a virtualenv at `/opt/yt-dlp-mullvad/venv`
+* Installs `ytp-dl==0.6.5` + `yt-dlp[default]` + `gunicorn`
+* Installs a policy-routing oneshot service to keep the public API reachable
+* Sets up a systemd service on port 5000
+* Runs Gunicorn with `gthread` (threaded) workers
+
+Note: `gthread` is a built-in Gunicorn worker class (no extra Python dependency).
 
 ```bash
 #!/usr/bin/env bash
@@ -226,9 +223,10 @@ sudo systemctl start ytp-dl-api
 # What this does:
 #   - Installs Python, ffmpeg, Mullvad CLI
 #   - Installs Deno system-wide (JS runtime required for modern YouTube extraction via yt-dlp)
+#   - Configures policy routing so the public API stays reachable while Mullvad toggles
 #   - Creates a virtualenv at /opt/yt-dlp-mullvad/venv
-#   - Installs ytp-dl==0.6.4 + yt-dlp[default] + gunicorn + gevent in that venv
-#   - Creates a simple systemd service ytp-dl-api.service on port 5000
+#   - Installs ytp-dl==0.6.5 + yt-dlp[default] + gunicorn in that venv
+#   - Creates a systemd service ytp-dl-api.service on port 5000
 #
 # Mullvad connect/disconnect is handled per-job by downloader.py.
 
@@ -239,18 +237,33 @@ PORT="${PORT:-5000}"                           # API listen port
 APP_DIR="${APP_DIR:-/opt/yt-dlp-mullvad}"      # app/venv root
 VENV_DIR="${VENV_DIR:-${APP_DIR}/venv}"        # python venv
 
-MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (put number after -)
+MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (optional)
 YTPDL_MAX_CONCURRENT="${YTPDL_MAX_CONCURRENT:-1}"        # API concurrency cap
 YTPDL_MULLVAD_LOCATION="${YTPDL_MULLVAD_LOCATION:-us}"   # default Mullvad relay hint
-GUNICORN_THREADS="${GUNICORN_THREADS:-4}"             # keep API responsive on tiny VPS
+GUNICORN_THREADS="${GUNICORN_THREADS:-4}"               # keep API responsive on small VPS
 ### -------------------------------------------------------------------------
 
 [[ "${EUID}" -eq 0 ]] || { echo "Please run as root"; exit 1; }
 export DEBIAN_FRONTEND=noninteractive
 
+echo "==> 0) Capture public routing (pre-VPN)"
+PUB_DEV="$(ip route show default | awk '/default/ {print $5; exit}')"
+PUB_GW="$(ip route show default | awk '/default/ {print $3; exit}')"
+PUB_IP="$(ip -4 addr show dev "${PUB_DEV}" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n1)"
+
+if [[ -z "${PUB_DEV}" || -z "${PUB_GW}" || -z "${PUB_IP}" ]]; then
+  echo "Failed to detect public routing (PUB_DEV/PUB_GW/PUB_IP)."
+  echo "PUB_DEV=${PUB_DEV} PUB_GW=${PUB_GW} PUB_IP=${PUB_IP}"
+  exit 1
+fi
+
+echo "Public dev: ${PUB_DEV} | gw: ${PUB_GW} | ip: ${PUB_IP}"
+
 echo "==> 1) Base packages & Mullvad CLI"
 apt-get update
-apt-get install -yq --no-install-recommends   python3-venv python3-pip curl ffmpeg ca-certificates unzip
+apt-get install -yq --no-install-recommends \
+  python3-venv python3-pip curl ffmpeg ca-certificates unzip \
+  iproute2 iptables
 
 if ! command -v mullvad >/dev/null 2>&1; then
   curl -fsSLo /tmp/mullvad.deb https://mullvad.net/download/app/deb/latest/
@@ -269,6 +282,72 @@ mullvad status || true
 mullvad lockdown-mode set off || true
 mullvad lan set allow || true
 
+echo "==> 1.1) Policy routing: keep replies from ${PUB_IP} on ${PUB_DEV}"
+# Loose reverse-path filtering avoids drops when the default route changes under VPN.
+tee /etc/sysctl.d/99-ytpdl-policy-routing.conf >/dev/null <<EOF
+net.ipv4.conf.all.rp_filter=2
+net.ipv4.conf.default.rp_filter=2
+net.ipv4.conf.${PUB_DEV}.rp_filter=2
+EOF
+sysctl --system >/dev/null
+
+# Persist the detected public route info for re-apply at boot.
+tee /etc/default/ytpdl-policy-routing >/dev/null <<EOF
+PUB_DEV=${PUB_DEV}
+PUB_GW=${PUB_GW}
+PUB_IP=${PUB_IP}
+EOF
+
+# Add a routing table id if it doesn't already exist.
+grep -qE '^100\s+ytpdl-public$' /etc/iproute2/rt_tables || echo '100 ytpdl-public' >> /etc/iproute2/rt_tables
+
+# Idempotent apply script.
+tee /usr/local/sbin/ytpdl-policy-routing.sh >/dev/null <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+source /etc/default/ytpdl-policy-routing
+
+TABLE_ID="100"
+TABLE_NAME="ytpdl-public"
+PRIO="11000"
+
+# Ensure table has the public default route.
+ip route replace default via "${PUB_GW}" dev "${PUB_DEV}" table "${TABLE_NAME}"
+
+# Ensure rule exists (replace is not supported for rules).
+if ip rule show | grep -qE "^${PRIO}:.*from ${PUB_IP}/32 lookup ${TABLE_NAME}\b"; then
+  :
+else
+  # remove any stale rule at this priority
+  while ip rule show | grep -qE "^${PRIO}:"; do
+    ip rule del priority "${PRIO}" || true
+  done
+  ip rule add priority "${PRIO}" from "${PUB_IP}/32" table "${TABLE_NAME}"
+fi
+
+ip route flush cache || true
+EOF
+chmod +x /usr/local/sbin/ytpdl-policy-routing.sh
+
+tee /etc/systemd/system/ytpdl-policy-routing.service >/dev/null <<EOF
+[Unit]
+Description=ytp-dl policy routing (keep public API reachable)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/ytpdl-policy-routing.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now ytpdl-policy-routing.service
+
 echo "==> 1.5) Install Deno (system-wide, for yt-dlp YouTube extraction)"
 # Install into /usr/local/bin/deno so systemd PATH can see it.
 # Official installer supports system-wide install via DENO_INSTALL=/usr/local.
@@ -282,7 +361,7 @@ mkdir -p "${APP_DIR}"
 python3 -m venv "${VENV_DIR}"
 source "${VENV_DIR}/bin/activate"
 pip install --upgrade pip
-pip install "ytp-dl==0.6.4" "yt-dlp[default]" gunicorn
+pip install "ytp-dl==0.6.5" "yt-dlp[default]" gunicorn
 deactivate
 
 echo "==> 3) API environment file (/etc/default/ytp-dl-api)"
@@ -296,8 +375,9 @@ echo "==> 4) Gunicorn systemd service (ytp-dl-api.service on :${PORT})"
 tee /etc/systemd/system/ytp-dl-api.service >/dev/null <<EOF
 [Unit]
 Description=Gunicorn for ytp-dl Mullvad API (minimal)
-After=network-online.target
+After=network-online.target ytpdl-policy-routing.service
 Wants=network-online.target
+Requires=ytpdl-policy-routing.service
 
 [Service]
 User=root
@@ -306,7 +386,9 @@ EnvironmentFile=/etc/default/ytp-dl-api
 Environment=VIRTUAL_ENV=${VENV_DIR}
 Environment=PATH=${VENV_DIR}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
 
-ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS}   --timeout 0 --graceful-timeout 15 --keep-alive 20   --bind 0.0.0.0:${PORT} scripts.api:app
+ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS} \
+  --timeout 0 --graceful-timeout 15 --keep-alive 20 \
+  --bind 0.0.0.0:${PORT} scripts.api:app
 
 Restart=always
 RestartSec=3
@@ -335,5 +417,6 @@ echo "========================================="
 echo "Installation complete!"
 echo "API running on port ${PORT}"
 echo "Test from outside: curl http://YOUR_VPS_IP:${PORT}/healthz"
+echo "If you use UFW: sudo ufw allow ${PORT}/tcp"
 echo "========================================="
-```
+```

{ytp_dl-0.6.4 → ytp_dl-0.6.6}/setup.py

@@ -8,7 +8,7 @@ with open("requirements.txt", "r", encoding="utf-8") as fh:
 
 setup(
     name="ytp-dl",
-    version="0.6.4", 
+    version="0.6.6", 
     author="dumgum82",
     author_email="dumgum42@gmail.com",
     description="YouTube video downloader with Mullvad VPN integration and Flask API",

{ytp_dl-0.6.4 → ytp_dl-0.6.6}/ytp_dl.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: ytp-dl
-Version: 0.6.4
+Version: 0.6.6
 Summary: YouTube video downloader with Mullvad VPN integration and Flask API
 Home-page: https://github.com/yourusername/ytp-dl
 Author: dumgum82
@@ -33,39 +33,39 @@ Dynamic: summary
 
 # ytp-dl
 
-> A lightweight YouTube downloader with Mullvad VPN integration and HTTP API
+A lightweight YouTube downloader with Mullvad VPN integration and an HTTP API.
 
 [![PyPI version](https://img.shields.io/pypi/v/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Python Support](https://img.shields.io/pypi/pyversions/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![License](https://img.shields.io/pypi/l/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 [![Downloads](https://img.shields.io/pypi/dm/ytp-dl.svg)](https://pypi.org/project/ytp-dl/)
 
-**ytp-dl** is a privacy-focused YouTube downloader that automatically routes downloads through Mullvad VPN via an HTTP API.
+**ytp-dl** is a privacy-focused YouTube downloader that routes downloads through Mullvad VPN via an HTTP API.
 
 ---
 
-## ✨ Features
+## Features
 
-* 🔒 **Privacy First** — Automatically connects/disconnects Mullvad VPN per download
-* 🎥 **Smart Quality Selection** — Prefers 1080p H.264 + AAC (no transcoding needed)
-* 🎵 **Audio Downloads** — Extract audio as MP3
-* 🚀 **HTTP API** — Simple Flask-based API with concurrency controls
-* ⚡ **VPS Ready** — Includes automated installer script for Ubuntu
+* Privacy-first: connect/disconnect Mullvad per download
+* Smart quality selection: prefers 1080p H.264 + AAC (no transcoding)
+* Audio downloads: extract audio as MP3
+* HTTP API: simple Flask API with concurrency controls
+* VPS-ready: automated installer script for Ubuntu
 
 ---
 
-## 📦 Installation
+## Installation
 
 ```bash
-pip install ytp-dl==0.6.4 yt-dlp[default]
+pip install ytp-dl==0.6.5 yt-dlp[default]
 ```
 
-**Requirements:**
+Requirements:
 
-* Linux operating system (tested on Ubuntu 24.04/25.04)
-* [Mullvad CLI](https://mullvad.net/en/download/vpn/linux) installed and configured
-* FFmpeg (for handling audio + video)
-* Deno (system-wide, required by yt-dlp for modern YouTube extraction)
+* Linux (tested on Ubuntu 24.04/25.04)
+* Mullvad CLI installed and configured
+* FFmpeg (audio/video handling)
+* Deno (system-wide; required by yt-dlp for modern YouTube extraction)
 * Python 3.8+
 
 Notes:
@@ -74,29 +74,38 @@ Notes:
 
 ---
 
-## 🎯 Using Your VPS
+## Using your VPS
 
-Once your VPS is running, you can download videos using simple HTTP requests:
+Once your VPS is running, you can download videos using simple HTTP requests.
 
-### Download a Video (1080p MP4)
+### Download a video (1080p MP4)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}' \
+  --output video.mp4
 ```
 
-### Download Audio Only (MP3)
+### Download audio only (MP3)
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}'   --output audio.mp3
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "extension": "mp3"}' \
+  --output audio.mp3
 ```
 
-### Download at Specific Resolution
+### Download at a specific resolution
 
 ```bash
-curl -X POST http://YOUR_VPS_IP:5000/api/download   -H "Content-Type: application/json"   -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}'   --output video.mp4
+curl -X POST http://YOUR_VPS_IP:5000/api/download \
+  -H "Content-Type: application/json" \
+  -d '{"url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "resolution": 720}' \
+  --output video.mp4
 ```
 
-### Check Server Health
+### Check server health
 
 ```bash
 curl http://YOUR_VPS_IP:5000/healthz
@@ -124,7 +133,7 @@ response = requests.post(
         "resolution": 1080,
         "extension": "mp4"
     },
-    stream=True
+    stream=True,
 )
 
 if response.status_code == 200:
@@ -139,28 +148,29 @@ else:
 
 ---
 
-## ⚙️ Configuration
+## Configuration
 
-### Installation Script Variables
+### Installation script variables
 
-These environment variables configure the VPS installation (they can be overridden when running the script):
+These environment variables configure the VPS installation (you can override them when running the script).
 
 | Variable                 | Description                             | Default               |
 | ------------------------ | --------------------------------------- | --------------------- |
 | `PORT`                   | API server port                         | `5000`                |
 | `APP_DIR`                | Installation directory                  | `/opt/yt-dlp-mullvad` |
-| `MV_ACCOUNT`             | Mullvad account number                  | your mullvad id       |
+| `MV_ACCOUNT`             | Mullvad account number                  | (empty)               |
 | `YTPDL_MAX_CONCURRENT`   | Max simultaneous downloads (API cap)    | `1`                   |
 | `YTPDL_MULLVAD_LOCATION` | Mullvad relay location code (e.g. `us`) | `us`                  |
+| `GUNICORN_THREADS`       | Threads per Gunicorn worker             | `4`                   |
 
 Notes:
 
 * If `MV_ACCOUNT` is set, the installer attempts `mullvad account login <MV_ACCOUNT>` once.
 * If `MV_ACCOUNT` is left empty, the script skips login and assumes Mullvad is already configured.
 
-### Runtime Environment Variables
+### Runtime environment variables
 
-After installation, these variables control the API behavior. They are set in `/etc/default/ytp-dl-api` and can be edited manually:
+After installation, these are set in `/etc/default/ytp-dl-api` and can be edited manually.
 
 | Variable                 | Description                   | Default                    |
 | ------------------------ | ----------------------------- | -------------------------- |
@@ -177,50 +187,33 @@ sudo systemctl restart ytp-dl-api
 
 ---
 
-## 🔧 Managing Your VPS Service
-
-### View Service Status
+## Managing your VPS service
 
 ```bash
 sudo systemctl status ytp-dl-api
-```
-
-### View Logs
-
-```bash
 sudo journalctl -u ytp-dl-api -f
-```
-
-### Restart Service
-
-```bash
 sudo systemctl restart ytp-dl-api
-```
-
-### Stop/Start Service
-
-```bash
 sudo systemctl stop ytp-dl-api
 sudo systemctl start ytp-dl-api
 ```
 
 ---
 
-## 📋 API Reference
+## API reference
 
 ### POST `/api/download`
 
-**Request Body:**
+Request body:
 
 ```json
 {
   "url": "string (required)",
   "resolution": "integer (optional, default: 1080)",
-  "extension": "string (optional, 'mp4' or 'mp3')"
+  "extension": "string (optional, 'mp4', 'mp3', or 'best')"
 }
 ```
 
-**Response:**
+Response:
 
 * `200 OK` - File download stream
 * `400 Bad Request` - Missing or invalid URL
@@ -229,8 +222,6 @@ sudo systemctl start ytp-dl-api
 
 ### GET `/healthz`
 
-**Response:**
-
 ```json
 {
   "ok": true,
@@ -241,16 +232,22 @@ sudo systemctl start ytp-dl-api
 
 ---
 
-## 🖥️ VPS Deployment
+## VPS deployment
+
+### Why policy routing is included
+
+When Mullvad connects/disconnects, Linux routing can change in a way that breaks inbound TCP handshakes (clients see intermittent connection timeouts). The installer sets up a small policy-routing rule that forces replies sourced from your public VPS IP to use the public interface, keeping the API reachable even while Mullvad is cycling.
 
-**What it does:**
+### What the installer does
 
-* ✅ Installs Python, FFmpeg, and Mullvad CLI
-* ✅ Installs Deno system-wide (required by yt-dlp for modern YouTube extraction)
-* ✅ Creates virtualenv at `/opt/yt-dlp-mullvad/venv`
-* ✅ Installs `ytp-dl==0.6.4` + `yt-dlp[default]` into the virtualenv
-* ✅ Sets up systemd service on port 5000
-* ✅ Configures Gunicorn with gthread (threaded) workers
+* Installs Python, FFmpeg, Mullvad CLI, and Deno
+* Creates a virtualenv at `/opt/yt-dlp-mullvad/venv`
+* Installs `ytp-dl==0.6.5` + `yt-dlp[default]` + `gunicorn`
+* Installs a policy-routing oneshot service to keep the public API reachable
+* Sets up a systemd service on port 5000
+* Runs Gunicorn with `gthread` (threaded) workers
+
+Note: `gthread` is a built-in Gunicorn worker class (no extra Python dependency).
 
 ```bash
 #!/usr/bin/env bash
@@ -259,9 +256,10 @@ sudo systemctl start ytp-dl-api
 # What this does:
 #   - Installs Python, ffmpeg, Mullvad CLI
 #   - Installs Deno system-wide (JS runtime required for modern YouTube extraction via yt-dlp)
+#   - Configures policy routing so the public API stays reachable while Mullvad toggles
 #   - Creates a virtualenv at /opt/yt-dlp-mullvad/venv
-#   - Installs ytp-dl==0.6.4 + yt-dlp[default] + gunicorn + gevent in that venv
-#   - Creates a simple systemd service ytp-dl-api.service on port 5000
+#   - Installs ytp-dl==0.6.5 + yt-dlp[default] + gunicorn in that venv
+#   - Creates a systemd service ytp-dl-api.service on port 5000
 #
 # Mullvad connect/disconnect is handled per-job by downloader.py.
 
@@ -272,18 +270,33 @@ PORT="${PORT:-5000}"                           # API listen port
 APP_DIR="${APP_DIR:-/opt/yt-dlp-mullvad}"      # app/venv root
 VENV_DIR="${VENV_DIR:-${APP_DIR}/venv}"        # python venv
 
-MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (put number after -)
+MV_ACCOUNT="${MV_ACCOUNT:-}"                   # Mullvad account (optional)
 YTPDL_MAX_CONCURRENT="${YTPDL_MAX_CONCURRENT:-1}"        # API concurrency cap
 YTPDL_MULLVAD_LOCATION="${YTPDL_MULLVAD_LOCATION:-us}"   # default Mullvad relay hint
-GUNICORN_THREADS="${GUNICORN_THREADS:-4}"             # keep API responsive on tiny VPS
+GUNICORN_THREADS="${GUNICORN_THREADS:-4}"               # keep API responsive on small VPS
 ### -------------------------------------------------------------------------
 
 [[ "${EUID}" -eq 0 ]] || { echo "Please run as root"; exit 1; }
 export DEBIAN_FRONTEND=noninteractive
 
+echo "==> 0) Capture public routing (pre-VPN)"
+PUB_DEV="$(ip route show default | awk '/default/ {print $5; exit}')"
+PUB_GW="$(ip route show default | awk '/default/ {print $3; exit}')"
+PUB_IP="$(ip -4 addr show dev "${PUB_DEV}" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n1)"
+
+if [[ -z "${PUB_DEV}" || -z "${PUB_GW}" || -z "${PUB_IP}" ]]; then
+  echo "Failed to detect public routing (PUB_DEV/PUB_GW/PUB_IP)."
+  echo "PUB_DEV=${PUB_DEV} PUB_GW=${PUB_GW} PUB_IP=${PUB_IP}"
+  exit 1
+fi
+
+echo "Public dev: ${PUB_DEV} | gw: ${PUB_GW} | ip: ${PUB_IP}"
+
 echo "==> 1) Base packages & Mullvad CLI"
 apt-get update
-apt-get install -yq --no-install-recommends   python3-venv python3-pip curl ffmpeg ca-certificates unzip
+apt-get install -yq --no-install-recommends \
+  python3-venv python3-pip curl ffmpeg ca-certificates unzip \
+  iproute2 iptables
 
 if ! command -v mullvad >/dev/null 2>&1; then
   curl -fsSLo /tmp/mullvad.deb https://mullvad.net/download/app/deb/latest/
@@ -302,6 +315,72 @@ mullvad status || true
 mullvad lockdown-mode set off || true
 mullvad lan set allow || true
 
+echo "==> 1.1) Policy routing: keep replies from ${PUB_IP} on ${PUB_DEV}"
+# Loose reverse-path filtering avoids drops when the default route changes under VPN.
+tee /etc/sysctl.d/99-ytpdl-policy-routing.conf >/dev/null <<EOF
+net.ipv4.conf.all.rp_filter=2
+net.ipv4.conf.default.rp_filter=2
+net.ipv4.conf.${PUB_DEV}.rp_filter=2
+EOF
+sysctl --system >/dev/null
+
+# Persist the detected public route info for re-apply at boot.
+tee /etc/default/ytpdl-policy-routing >/dev/null <<EOF
+PUB_DEV=${PUB_DEV}
+PUB_GW=${PUB_GW}
+PUB_IP=${PUB_IP}
+EOF
+
+# Add a routing table id if it doesn't already exist.
+grep -qE '^100\s+ytpdl-public$' /etc/iproute2/rt_tables || echo '100 ytpdl-public' >> /etc/iproute2/rt_tables
+
+# Idempotent apply script.
+tee /usr/local/sbin/ytpdl-policy-routing.sh >/dev/null <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+source /etc/default/ytpdl-policy-routing
+
+TABLE_ID="100"
+TABLE_NAME="ytpdl-public"
+PRIO="11000"
+
+# Ensure table has the public default route.
+ip route replace default via "${PUB_GW}" dev "${PUB_DEV}" table "${TABLE_NAME}"
+
+# Ensure rule exists (replace is not supported for rules).
+if ip rule show | grep -qE "^${PRIO}:.*from ${PUB_IP}/32 lookup ${TABLE_NAME}\b"; then
+  :
+else
+  # remove any stale rule at this priority
+  while ip rule show | grep -qE "^${PRIO}:"; do
+    ip rule del priority "${PRIO}" || true
+  done
+  ip rule add priority "${PRIO}" from "${PUB_IP}/32" table "${TABLE_NAME}"
+fi
+
+ip route flush cache || true
+EOF
+chmod +x /usr/local/sbin/ytpdl-policy-routing.sh
+
+tee /etc/systemd/system/ytpdl-policy-routing.service >/dev/null <<EOF
+[Unit]
+Description=ytp-dl policy routing (keep public API reachable)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/ytpdl-policy-routing.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now ytpdl-policy-routing.service
+
 echo "==> 1.5) Install Deno (system-wide, for yt-dlp YouTube extraction)"
 # Install into /usr/local/bin/deno so systemd PATH can see it.
 # Official installer supports system-wide install via DENO_INSTALL=/usr/local.
@@ -315,7 +394,7 @@ mkdir -p "${APP_DIR}"
 python3 -m venv "${VENV_DIR}"
 source "${VENV_DIR}/bin/activate"
 pip install --upgrade pip
-pip install "ytp-dl==0.6.4" "yt-dlp[default]" gunicorn
+pip install "ytp-dl==0.6.5" "yt-dlp[default]" gunicorn
 deactivate
 
 echo "==> 3) API environment file (/etc/default/ytp-dl-api)"
@@ -329,8 +408,9 @@ echo "==> 4) Gunicorn systemd service (ytp-dl-api.service on :${PORT})"
 tee /etc/systemd/system/ytp-dl-api.service >/dev/null <<EOF
 [Unit]
 Description=Gunicorn for ytp-dl Mullvad API (minimal)
-After=network-online.target
+After=network-online.target ytpdl-policy-routing.service
 Wants=network-online.target
+Requires=ytpdl-policy-routing.service
 
 [Service]
 User=root
@@ -339,7 +419,9 @@ EnvironmentFile=/etc/default/ytp-dl-api
 Environment=VIRTUAL_ENV=${VENV_DIR}
 Environment=PATH=${VENV_DIR}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
 
-ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS}   --timeout 0 --graceful-timeout 15 --keep-alive 20   --bind 0.0.0.0:${PORT} scripts.api:app
+ExecStart=${VENV_DIR}/bin/gunicorn -k gthread -w 1 --threads ${GUNICORN_THREADS} \
+  --timeout 0 --graceful-timeout 15 --keep-alive 20 \
+  --bind 0.0.0.0:${PORT} scripts.api:app
 
 Restart=always
 RestartSec=3
@@ -368,5 +450,6 @@ echo "========================================="
 echo "Installation complete!"
 echo "API running on port ${PORT}"
 echo "Test from outside: curl http://YOUR_VPS_IP:${PORT}/healthz"
+echo "If you use UFW: sudo ufw allow ${PORT}/tcp"
 echo "========================================="
 ```