diff --git a/internal/configuration/settings/openvpn.go b/internal/configuration/settings/openvpn.go
index d3ff2e1e..5c9fa464 100644
--- a/internal/configuration/settings/openvpn.go
+++ b/internal/configuration/settings/openvpn.go
@@ -95,12 +95,13 @@ func (o OpenVPN) validate(vpnProvider string) (err error) {
 	}
 
 	isCustom := vpnProvider == providers.Custom
+	isUserRequired := !isCustom && vpnProvider != providers.VPNSecure
 
-	if !isCustom && *o.User == "" {
+	if isUserRequired && *o.User == "" {
 		return ErrOpenVPNUserIsEmpty
 	}
 
-	passwordRequired := !isCustom &&
+	passwordRequired := isUserRequired &&
 		(vpnProvider != providers.Ivpn || !ivpnAccountID.MatchString(*o.User))
 
 	if passwordRequired && *o.Password == "" {
diff --git a/internal/provider/utils/openvpn.go b/internal/provider/utils/openvpn.go
index 7125e532..14b11e4d 100644
--- a/internal/provider/utils/openvpn.go
+++ b/internal/provider/utils/openvpn.go
@@ -61,10 +61,13 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 	lines.add("suppress-timestamps")      // do not log timestamps, the Gluetun logger takes care of it
 	lines.add("dev", settings.Interface)
 	lines.add("verb", fmt.Sprint(*settings.Verbosity))
-	lines.add("auth-user-pass", openvpn.AuthConf)
 	lines.add("proto", connection.Protocol)
 	lines.add("remote", connection.IP.String(), fmt.Sprint(connection.Port))
 
+	if *settings.User != "" {
+		lines.add("auth-user-pass", openvpn.AuthConf)
+	}
+
 	if !provider.AuthToken {
 		lines.add("pull-filter", "ignore", `"auth-token"`) // prevent auth failed loops
 	}