diff --git a/modules/rhizo_base/manifests/openbsc.pp b/modules/rhizo_base/manifests/openbsc.pp
index 2d81146..64127ef 100644
--- a/modules/rhizo_base/manifests/openbsc.pp
+++ b/modules/rhizo_base/manifests/openbsc.pp
@@ -32,6 +32,7 @@ class rhizo_base::openbsc {
   $ggsn_ip_address = hiera('rhizo::ggsn_ip_address')
   $repo            = hiera('rhizo::osmo_repo', 'latest')
   $bts             = hiera('rhizo::bts')
+  $pgsql_pwd       = $rhizo_base::pgsql_pwd
 
   $nitb_version = $repo ? {
     'latest'    => 'present',
@@ -122,56 +123,55 @@ class rhizo_base::openbsc {
       require => Package['osmo-sip-connector'],
     }
 
-  if ($gprs != "disabled") {
-    file { '/etc/osmocom/make_sgsn_acl_config':
-         content => template('rhizo_base/make_sgsn_acl_config.erb'),
-         mode => "0750",
-      }
-
-
-    systemd::dropin_file { 'override.conf':
-        unit    => 'osmo-sgsn.service',
-        source  => 'puppet:///modules/rhizo_base/systemd/coredump.override'
+  file { '/etc/osmocom/make_sgsn_acl_config':
+       content => template('rhizo_base/make_sgsn_acl_config.erb'),
+       mode    => "0750",
+       notify  => Exec['osmo-sgsn.cfg']
     }
 
-    $sgsn_version = $repo ? {
-      'latest'    => 'latest',
-      'nightly'   => 'latest',
-      default     => 'installed',
-     }
-
-    file { '/etc/osmocom/osmo-sgsn.cfg':
-         content => template("rhizo_base/osmo-sgsn.cfg.erb"),
-         mode => "0750",
-         notify  => Service['osmo-sgsn'],
-      }
-
-    package {  [ 'osmo-sgsn' ]:
-        ensure   => $sgsn_version,
-        require  => Class['rhizo_base::apt'],
-      }
-
-    $libgtp_version = $repo ? {
-      'latest'    => 'installed',
-      'nightly'   => 'latest',
-      default     => '1.8.0',
-    }
-
-    package {  [ 'libgtp6' ]:
-        ensure   => $libgtp_version,
-        require  => Class['rhizo_base::apt'],
-      }
-
-    package { [ 'libosmo-gsup-client0' ]:
-        ensure   => 'latest',
-        require  => Class['rhizo_base::apt'],
-      }
-    package { [ 'libosmocore' ]:
-        ensure   => 'latest',
-        require  => Class['rhizo_base::apt'],
-      }
+  systemd::dropin_file { 'override.conf':
+      unit    => 'osmo-sgsn.service',
+      source  => 'puppet:///modules/rhizo_base/systemd/coredump.override'
   }
 
+  $sgsn_version = $repo ? {
+    'latest'    => 'latest',
+    'nightly'   => 'latest',
+    default     => 'installed',
+   }
+
+  package {  [ 'osmo-sgsn' ]:
+      ensure   => $sgsn_version,
+      require  => Class['rhizo_base::apt'],
+    }
+
+  $libgtp_version = $repo ? {
+    'latest'    => 'installed',
+    'nightly'   => 'latest',
+    default     => '1.8.0',
+  }
+
+  package {  [ 'libgtp6' ]:
+      ensure   => $libgtp_version,
+      require  => Class['rhizo_base::apt'],
+    }
+
+  package { [ 'libosmo-gsup-client0' ]:
+      ensure   => 'latest',
+      require  => Class['rhizo_base::apt'],
+    }
+  package { [ 'libosmocore' ]:
+      ensure   => 'latest',
+      require  => Class['rhizo_base::apt'],
+    }
+
+  exec { 'osmo-sgsn.cfg':
+      command     =>
+        '/etc/osmocom/make_sgsn_acl_config > /etc/osmocom/osmo-sgsn.cfg',
+      require     => File['/etc/osmocom/make_sgsn_acl_config'],
+      refreshonly => true,
+    }
+
   exec { 'hlr_pragma_wal':
       command     =>
         '/usr/bin/sqlite3 /var/lib/osmocom/hlr.sqlite3 "PRAGMA journal_mode=wal;"',
diff --git a/modules/rhizo_base/templates/make_sgsn_acl_config.erb b/modules/rhizo_base/templates/make_sgsn_acl_config.erb
index 4042e9a..3e8ef83 100644
--- a/modules/rhizo_base/templates/make_sgsn_acl_config.erb
+++ b/modules/rhizo_base/templates/make_sgsn_acl_config.erb
@@ -1,4 +1,5 @@
 #!/bin/bash
+_auth=`psql postgresql://rhizomatica:<%= @pgsql_pwd %>@localhost:5432/rhizomatica -t -c "SELECT msisdn from subscribers where subscription_status=1" | grep . | sed -n '1h;1!H;${g;s/\n/,/g;p;}'`
 cat << EOF
 !
 ! Osmocom SGSN configuration
@@ -23,10 +24,10 @@ sgsn
  ggsn 0 echo-interval 60
  auth-policy acl-only
 EOF
-echo "SELECT imsi from subscriber where authorized=1 ORDER BY imsi;" | sudo /usr/bin/sqlite3 /var/lib/osmocom/hlr.sqlite3 | grep "^[0-9].*" | sed 's/\(.*\)/ imsi-acl add \1/'
+echo "SELECT imsi from subscriber where extension in ($_auth) ORDER BY imsi;" | sudo /usr/bin/sqlite3 /var/lib/osmocom/hlr.sqlite3 | grep "^[0-9].*" | sed 's/\(.*\)/ imsi-acl add \1/'
 cat << EOF
- gsup remote-ip 127.0.0.1
- gsup remote-port 4222
+ !gsup remote-ip <%= @vpn_ip_address %>
+ !gsup remote-port 4222
 !
 ns
  timer tns-block 3
diff --git a/modules/rhizo_base/templates/rhizomatica.cron.erb b/modules/rhizo_base/templates/rhizomatica.cron.erb
index c33bae8..08e336b 100644
--- a/modules/rhizo_base/templates/rhizomatica.cron.erb
+++ b/modules/rhizo_base/templates/rhizomatica.cron.erb
@@ -74,8 +74,10 @@ PYTHONPATH=$PYTHONPATH:/var/rhizomatica/rccn
 #Restart osmo-nitb every 6 hours (This wasn't working anyway. If it is needed, do something more elegant!)
 #  0 */6   *   *   *     root /usr/bin/sv restart osmo-nitb 2>&1 > /dev/null
 
+<% if @osmo_stack != 'split' -%>
 # Rebuild ACL config and restart the SGSN (stopgap pre HLR solution, we loose all PDP contexts)
-#  55 2     *   *   *    root /etc/osmocom/make_sgsn_acl_config > /etc/osmocom/osmo-sgsn.cfg ; systemctl restart osmo-sgsn
+  55 2     *   *   *    root /etc/osmocom/make_sgsn_acl_config > /etc/osmocom/osmo-sgsn.cfg ; systemctl restart osmo-sgsn
+<% end -%>
 
 # It's a new day....
   30  5  *   *   *      root /home/rhizomatica/bin/check_broken.sh