diff --git a/devrun/internal/credentials.go b/devrun/internal/credentials.go
index 9534ec3b..87962eba 100644
--- a/devrun/internal/credentials.go
+++ b/devrun/internal/credentials.go
@@ -27,6 +27,8 @@ type providerCredentials struct {
 type openvpnCredentials struct {
 	Username string
 	Password string
+	Key      string
+	Cert     string
 }
 
 type wireguardCredentials struct {
@@ -76,10 +78,12 @@ func validateCredentials(providerNameToCredentials map[string]providerCredential
 
 func validateOpenvpnCredentials(provider string, creds *openvpnCredentials) error {
 	switch {
-	case creds.Username == "":
+	case creds.Username == "" && creds.Password != "":
 		return fmt.Errorf("provider %q openvpn credentials are missing the username", provider)
-	case creds.Password == "":
+	case creds.Password == "" && creds.Username != "":
 		return fmt.Errorf("provider %q openvpn credentials are missing the password", provider)
+	case creds.Username == "" && creds.Password == "" && creds.Key == "" && creds.Cert == "":
+		return fmt.Errorf("provider %q openvpn credentials are missing the username and password", provider)
 	}
 	return nil
 }
@@ -147,6 +151,8 @@ func buildOpenvpnEnv(creds *openvpnCredentials) []string {
 	return []string{
 		"OPENVPN_USER=" + creds.Username,
 		"OPENVPN_PASSWORD=" + creds.Password,
+		"OPENVPN_KEY=" + creds.Key,
+		"OPENVPN_CERT=" + creds.Cert,
 	}
 }
 
@@ -220,6 +226,11 @@ func formatCredentialForDump(provider, vpnType string,
 		builder.WriteString("\n")
 		builder.WriteString("password: ")
 		builder.WriteString(providerCredentials.OpenVPN.Password)
+		builder.WriteString("\nkey: ")
+		builder.WriteString(providerCredentials.OpenVPN.Key)
+		builder.WriteString("\ncert: ")
+		builder.WriteString(providerCredentials.OpenVPN.Cert)
+		builder.WriteString("\n")
 	case vpnTypeWireGuard:
 		if providerCredentials.WireGuard == nil {
 			return "", fmt.Errorf("no wireguard credentials found for provider %q", provider)
diff --git a/devrun/internal/encrypt.go b/devrun/internal/encrypt.go
index 76702a31..b2656bdf 100644
--- a/devrun/internal/encrypt.go
+++ b/devrun/internal/encrypt.go
@@ -205,19 +205,31 @@ func promptAndAddCredential(
 ) error {
 	switch vpnType {
 	case vpnTypeOpenVPN:
-		username, err := readLine(ctx, "OpenVPN username: ", false)
+		username, err := readLine(ctx, "OpenVPN username: ", true)
 		if err != nil {
 			return fmt.Errorf("reading username: %w", err)
 		}
 
-		password, err := readSecret(ctx, "OpenVPN password: ", false)
+		password, err := readSecret(ctx, "OpenVPN password: ", username == "")
 		if err != nil {
 			return fmt.Errorf("reading password: %w", err)
 		}
 
+		key, err := readSecret(ctx, "OpenVPN key: ", true)
+		if err != nil {
+			return fmt.Errorf("reading key: %w", err)
+		}
+
+		cert, err := readSecret(ctx, "OpenVPN cert: ", true)
+		if err != nil {
+			return fmt.Errorf("reading cert: %w", err)
+		}
+
 		openvpnCredentials := &openvpnCredentials{
 			Username: username,
 			Password: string(password),
+			Key:      string(key),
+			Cert:     string(cert),
 		}
 		err = validateOpenvpnCredentials(provider, openvpnCredentials)
 		if err != nil {