diff --git a/deployments/serverBuild/vpnBuild.yml b/deployments/serverBuild/vpnBuild.yml
index 5a97177..6abf3ac 100644
--- a/deployments/serverBuild/vpnBuild.yml
+++ b/deployments/serverBuild/vpnBuild.yml
@@ -6,6 +6,8 @@
   become: yes
   vars:
     vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
+    remote_host: 165.22.156.25
+    local_host:  0.0.0.0
 
   tasks:
     - name: Update apt
@@ -14,31 +16,23 @@
     - name: Install required system packages
       apt: name={{ vpn_packages }} state=latest
 
-    - name: Build temp pki dir structure - cacerts
-      shell: mkdir -p ~/pki/cacerts
-    - name: Build temp pki dir structure - certs
-      shell: mkdir -p ~/pki/certs
-    - name: Build temp pki dir structure - private and set perms
-      shell: mkdir -p ~/pki/private && chmod 700 ~/pki
+    - name: set kernel params
+      shell: |
+        cat >> /etc/sysctl.conf << EOF
+        net.ipv4.ip_forward = 1 
+        net.ipv4.conf.all.accept_redirects = 0 
+        net.ipv4.conf.all.send_redirects = 0
+        EOF
 
-    - name: Generate root key 4096 bit RSA
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem
+    - name: save kernel params
+      shell: sysctl -p /etc/sysctl.conf
+      
+    - name: Generate preshared key
+      shell: openssl rand -hex 32
+      register: awful_psk
 
-    - name: Create root cert authority & sign with root key
-      become_method: sudo
-      shell:    ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem
-
-    - name: Generate cert for the VPN host
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem
-
-    - name: Create & sign VPN server cert with CA cert.
-      shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem >  ~/pki/certs/awful-server-cert.pem
-
-    - name: move temp pki dir structure to proper /etc/ipsec.d/ dir
-      shell: sudo cp -r ~/pki/* /etc/ipsec.d/
-
-    - name: make backup of  default sswan conf file
-      shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original
+    - debug:
+        msg: got this key {{ awful_psk }}
 
     - name: Copy my ipsec.conf file to the VPN host
       # this file does a lot. view more info in the readme.md
@@ -48,81 +42,17 @@
         owner: root
         group: root
 
-    - name: Copy my ipsec.secrets file to the VPN host
-      # this file does a lot. view more info in the readme.md
-      copy:
-        src: ipsec.secrets
-        dest: /etc/ipsec.secrets
-        owner: root
-        group: root
+    - name: remove existing ipsec.secerts
+      shell: rm /etc/ipsec.secrets
 
-    - name: restart strongswan
-      shell: systemctl restart strongswan
-
-    - name: allow SSH connections
-      ufw:
-        rule: allow
-        name: OpenSSH
-        
-    - name: Deny everything and enable UFW
-      ufw:
-        state: enabled
-        policy: deny
-
-    - name: rate limit ssh connections
-      ufw:
-        rule: limit
-        port: ssh
-        proto: tcp
-
-    - name: Allow all access from RFC1918 networks to this host
-      ufw:
-        rule: allow
-        src: '{{ item }}'
-      loop:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-
-    - name: Allow tcp ipsec ports
-      ufw:
-        rule: allow
-        port: 500
-        port: 4500
-        proto: tcp
-          
-    - name: Allow udp ipsec ports
-      ufw:
-        rule: allow
-        port: 4500
-        port: 500
-        proto: udp
-
-    - name: copy local before.rules to vpn host
-      copy:
-        src: before.rules
-        dest: /etc/ufw/before.rules
-        owner: root
-        group: root
+    - name: create ipsec.secrets with psk info
+      shell: |
+        cat >> /etc/ipsec.secrets << EOF
+        {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
+        EOF
       
-    - name: copy local sysctl.conf to vpn host
-      copy:
-        src: sysctl.conf
-        dest: /etc/ufw/sysctl.conf
-        owner: root
-        group: root
+    - name: update route rules
+      shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE
 
-    - name: disable ufw to save config
-      ufw:
-        state: disabled
-
-    - name: reload ufw to activate changes
-      ufw:
-        state: enabled
-
-    - name: Copy ca-cert down to local machine
-      fetch:
-        src: /etc/ipsec.d/cacerts/awful-ca-cert.pem
-        dest: awful-ca-cert.pem
-        flat: yes
+    # - name: copy psk down to local machine
+    #   local_action: copy_content={{ awful_psk }} dest=psk.txt