Improve synchronizer
diff --git a/xos/services/vpn/admin.py b/xos/services/vpn/admin.py
index 26887078..d346ddf 100644
--- a/xos/services/vpn/admin.py
+++ b/xos/services/vpn/admin.py
@@ -173,7 +173,6 @@
                     VPNService.get_service_objects().all()[0])
 
     def save(self, commit=True):
-        result = super(VPNTenantForm, self).save(commit=commit)
         self.instance.creator = self.cleaned_data.get("creator")
         self.instance.is_persistent = self.cleaned_data.get('is_persistent')
         self.instance.vpn_subnet = self.cleaned_data.get("vpn_subnet")
@@ -192,35 +191,8 @@
 
         self.instance.use_ca_from[:] = []
         self.instance.use_ca_from.append(self.cleaned_data.get('use_ca_from'))
-        result.save()  # Need to do this so that we know the ID
 
-        self.instance.pki_dir = (
-            VPNService.OPENVPN_PREFIX + "server-" + str(result.id))
-
-        if (not os.path.isdir(self.instance.pki_dir)):
-            VPNService.execute_easyrsa_command(
-                self.instance.pki_dir, "init-pki")
-            if (self.instance.use_ca_from[0]):
-                shutil.copy2(
-                    self.instance.use_ca_from[0].pki_dir + "/ca.crt",
-                    self.instance.pki_dir)
-                shutil.copy2(
-                    self.instance.use_ca_from[0].pki_dir + "/private/ca.key",
-                    self.instance.pki_dir + "/private")
-            else:
-                VPNService.execute_easyrsa_command(
-                    self.instance.pki_dir, "--req-cn=XOS build-ca nopass")
-        elif (self.instance.use_ca_from[0]):
-            shutil.copy2(
-                self.instance.use_ca_from[0].pki_dir + "/ca.crt",
-                self.instance.pki_dir)
-            shutil.copy2(
-                self.instance.use_ca_from[0].pki_dir + "/private/ca.key",
-                self.instance.pki_dir + "/private")
-
-        result.ca_crt = self.generate_ca_crt()
-
-        return result
+        return super(VPNTenantForm, self).save(commit=commit)
 
     def generate_ca_crt(self):
         """str: Generates the ca cert by reading from the ca file"""
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.py b/xos/synchronizers/vpn/steps/sync_vpntenant.py
index 58a9287..7538628 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.py
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.py
@@ -1,4 +1,5 @@
 import os
+import shutil
 import sys
 
 from django.db.models import F, Q
@@ -18,8 +19,46 @@
     template_name = "sync_vpntenant.yaml"
     service_key_name = "/opt/xos/synchronizers/vpn/vpn_private_key"
 
-    def __init__(self, *args, **kwargs):
-        super(SyncVPNTenant, self).__init__(*args, **kwargs)
+
+    def sync_fields(self, tenant, fields):
+        tenant.pki_dir = (
+            VPNService.OPENVPN_PREFIX + "server-" + str(result.id))
+
+        if (not os.path.isdir(tenant.pki_dir)):
+            VPNService.execute_easyrsa_command(
+                tenant.pki_dir, "init-pki")
+            if (tenant.use_ca_from[0]):
+                shutil.copy2(
+                    tenant.use_ca_from[0].pki_dir + "/ca.crt",
+                    tenant.pki_dir)
+                shutil.copy2(
+                    tenant.use_ca_from[0].pki_dir + "/private/ca.key",
+                    tenant.pki_dir + "/private")
+            else:
+                VPNService.execute_easyrsa_command(
+                    tenant.pki_dir, "--req-cn=XOS build-ca nopass")
+        elif (tenant.use_ca_from[0]):
+            shutil.copy2(
+                tenant.use_ca_from[0].pki_dir + "/ca.crt",
+                tenant.pki_dir)
+            shutil.copy2(
+                tenant.use_ca_from[0].pki_dir + "/private/ca.key",
+                tenant.pki_dir + "/private")
+
+        tenant.ca_crt = tenant.generate_ca_crt()
+
+        if (not os.path.isfile(tenant.pki_dir + "/issued/server.crt")):
+            VPNService.execute_easyrsa_command(
+                tenant.pki_dir, "build-server-full server nopass")
+
+        if (not os.path.isfile(tenant.pki_dir + "crl.pem")):
+            VPNService.execute_easyrsa_command(tenant.pki_dir, "gen-crl")
+
+        if (not os.path.isfile(tenant.pki_dir + "dh.pem")):
+            VPNService.execute_easyrsa_command(tenant.pki_dir, "gen-dh")
+
+        # will call run_playbook
+        super(SyncVPNTenant, self).sync_fields(tenant, fields)
 
     def fetch_pending(self, deleted):
         if (not deleted):
@@ -41,11 +80,3 @@
                 "protocol": tenant.protocol,
                 "pki_dir": tenant.pki_dir
                 }
-
-    def run_playbook(self, o, fields):
-        # Generate the server files
-        if (not os.path.isfile(o.pki_dir + "/issued/server.crt")):
-            VPNService.execute_easyrsa_command(
-                o.pki_dir, "build-server-full server nopass")
-            VPNService.execute_easyrsa_command(o.pki_dir, "gen-crl")
-        super(SyncVPNTenant, self).run_playbook(o, fields)
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
index 7bf1a25..556212c 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
@@ -39,7 +39,7 @@
     copy: src={{ pki_dir }}/crl.pem dest={{ pki_dir }}/crl.pem
 
   - name: get dh
-    copy: src=/opt/openvpn/init_pki/dh.pem dest={{ pki_dir }}/dh.pem
+    copy: src={{ pki_dir }}/dh.pem dest={{ pki_dir }}/dh.pem
 
   - name: erase config
     shell: rm -f {{ pki_dir }}/server.conf