OpenVPN AMI's built with packer incorrectly use the old public IP from the build in generated config files

Question

When I build AMI's using Hashicorp Packer, based off the AWS OpenVPN AMI, the public ip address from the first instance performing the build will persist in later usage of the AMI when it should instead update.

So when I try to use the resulting AMI on a new AWS instance, if I try to generate certificates for a user, the openvpn.conf files always contain the incorrect old public ip from the instance used to build the AMI. It should be using the public IP from the current instance. Is there anything I can do to correct this behaviour?

In case it helps, this is a relevant extract of the user data that is used only when the instance starts (and not during the build). In this case, the VPN client will be configured as a gateway.

client_network=${client_network}
client_netmask_bits=${client_netmask_bits}
private_subnet1=${private_subnet1}
public_subnet1=${public_subnet1}
aws_internal_domain=${aws_internal_domain}
remote_subnet_cidr=${remote_subnet_cidr}

ls -la /usr/local/openvpn_as/scripts/
/usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v $client_network ConfigPut
/usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v $client_netmask_bits ConfigPut
/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value 'true' ConfigPut
/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.gateway_access --value 'true' ConfigPut
/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.0 --value "$private_subnet1" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.1 --value "$public_subnet1" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.2 --value "$client_network/$client_netmask_bits" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_access --value 'route' ConfigPut
/usr/local/openvpn_as/scripts/sacli --key 'vpn.client.routing.reroute_dns' --value 'true' ConfigPut
/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.dhcp_option.domain' --value "$aws_internal_domain" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.routing.allow_private_nets_to_clients' --value 'true' ConfigPut
/usr/local/openvpn_as/scripts/sacli start
cd /usr/local/openvpn_as/scripts/
./sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut
./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut
./sacli --user $openvpn_user AutoGenerateOnBehalfOf
mkdir -p seperate
./sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5
chown $openvpn_user seperate/*
/usr/local/openvpn_as/scripts/sacli start
ls -la seperate

Answer 1

The first clue to solving this was provided by querying the DB:

/usr/local/openvpn_as/scripts/sacli ConfigQuery

This showed the host.name entry was incorrect, which could easily be fixed with:

public_ip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4); echo "Public IP: $public_ip"
/usr/local/openvpn_as/scripts/sacli --key "host.name" --value "$public_ip" ConfigPut

It was also mentioned in openvpn docs that when restoring from a backup that the listener could be configured to use an incorrect ip and that this can be restored to defaults with...

/usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut