Does TLS authentication encrypt username as well as password?

If I'm reading your question correctly, you're connecting to your VPN using a combination of TLS client authentication and username / password combination.

In this case a MitM attacker can read the full contents of the client certificate (link to the relevant message in the handshake protocol), which may include your username. The attacker can not read the username / password combination because they're sent after the TLS handshake is completed and thereby encrypted.

The mitigation is simple on the protocol level: Don't make a mutually authenticated connection to the server outright, but a unilaterally authenticated one and then let the server initiate a renegotiation with client authentication. This is different, because the conection will be encrypted using the cipher suite from the first connection and so an attacker can't eavesdrop on your client certificate.

If this mitigation isn't possible for whatever reason, you can try and make the two user names unique and distinct. For example you could assign the user a fully random common name in the certificate, which is checked in the internal database / access control list to a) be allowed access and b) match the readable / human-chosen password. This way an attacker can not learn the user name needed for the username / password pair. As far as I can tell, such a setup is possible with OpenVPN.