This is in the latest version of Piwik 3.2.0
If you head to the HTTPS address, using the direct IP, and get the warning message about an untrusted hostname, then view the source of that page, the listing for piwik.piwik_url is the INTERNAL IP and not the EXTERNAL that you used to get there. This should be fixed, it’s a low risk, but the internal should never be exposed to the general public. The only work around we have right now is to disable this feature using enable_trusted_host_check=0 Viewing the source with it disabled, displays the correct external IP.
Haven't had a closer look, but afaik it should output