diff --git a/manifests/tun.pp b/manifests/tun.pp
index 6c2851e..54ca362 100644
--- a/manifests/tun.pp
+++ b/manifests/tun.pp
@@ -13,6 +13,9 @@
 # [*cert*]
 #   Certificate to use for this tunnel
 #
+# [*key*]
+#   Key to use for this tunnel
+#
 # [*client*]
 #   Whether this tunnel should be setup in client mode.
 #
@@ -68,6 +71,7 @@
   $connect,
   $cafile = '',
   $cert = 'UNSET',
+  $key = '',
   $client = false,
   $options = [ ],
   $failover = 'rr',
@@ -95,6 +99,11 @@
     default => $cafile,
   }
 
+  $key_real = $key ? {
+    'UNSET' => '',
+    default => $key,
+  }
+
   # Clients don't require a certificate but servers do
   if $client {
     $cert_default = ''
@@ -113,6 +122,9 @@
   if $cert_real != '' {
     validate_absolute_path( $cert_real )
   }
+  if $key_real != '' {
+    validate_absolute_path( $key_real )
+  }
   validate_bool( str2bool($client) )
 
   if is_string($options) {
diff --git a/templates/tun.erb b/templates/tun.erb
index e3c092c..1d57209 100644
--- a/templates/tun.erb
+++ b/templates/tun.erb
@@ -1,12 +1,4 @@
 # This file managed by Puppet
-<% if @cert_real != '' -%>
-cert = <%= @cert_real %>
-<% end -%>
-<% if @cafile_real != '' -%>
-CAfile = <%= @cafile_real %>
-<% else -%>
-# CAfile = /path/to/cafile.crt
-<% end -%>
 
 setuid = root
 setgid = root
@@ -35,6 +27,17 @@ options = <%= option %>
 <%- end -%>
 
 [<%= @name %>]
+<% if @cert_real != '' -%>
+cert = <%= @cert_real %>
+<% end -%>
+<% if @cafile_real != '' -%>
+CAfile = <%= @cafile_real %>
+<% else -%>
+# CAfile = /path/to/cafile.crt
+<% end -%>
+<% if @key_real != '' -%>
+key = <%= @key_real %>
+<% end -%>
 <% if @accept -%>
   accept=<%= @accept %>
 <% end -%>