I have a question regarding VPN connections. Is it possible to connect two remote locations using a VPN if I don’t have a public IP address on either side?
Can I use DDNS for this purpose? If so, could you provide some guidance or tips on how to set this up?
Thank you!
Yes, with Zerotier.
There are a bunch of different VPN technologies built into RouterOS, largely because there isn’t a single definition for what “VPN” means or why you’d set one up. What’s your purpose in having a VPN? Yes, you say you want two sites connected, but why? For what specific purpose? Knowing that will inform the best choice of VPN tech.
If you’re going to limit us to making generic observations, I’ll point out that of the stock options, ZeroTier meets your constraints best as it arranges connections through NAT by use of a public service. The two endpoints merely need to see the public ZT service, not each other directly.
This is not without problems of its own, which is why I’d first reach for WireGuard instead. Every VPN tech has problems, but I have the least dislike for the particular bag of problems WG presents.
And yes, it is perfectly fine to use WG with DDNS, through NAT. You can even run it from behind someone else’s router, as I did for about a year before replacing my other-vendor Internet gateway with a hAP ax³, permitting direct WG connections. I do still use a DDNS service to work out where it is, but the double-NAT ugliness has gone away for me now.
Adding
Hi sir, and thank you for your answer.
However, I tried it already, and looks like Zerotier is not supported on “mmips”.
My router model is RB750Gr3…I guess I should’ve said it earlier, but I wanted to keep the question simple.
I’m guessing likely be better off with IPSec using IKEv2 on the older hEX, since IPSec will use hardware encryption. i.e. WireGuard will not be hardware offloaded, so might be slower. Although IKEv2 is a bit more complex to setup than ZeroTier or even WG. One side does need to be enabled with responder and similar DDNS trick.
A bit? Hah! More like 3-10× more complicated, depending. Let’s see:
What’d I miss?
Can you confirm that both sites dont have an ISP router with a public IP, where you can forward ports to your router??
Currently your best option is to pay for a cloud server ( $6 US a month ) and buy a CHR license from MT and put it on the server.
This will connect all your router easily via wireguard
LOL. I’ll give 2× more complicated. You can use a PSK and avoid the certs. My comment was based an old hEX, that can offload IPSec encryption, but that is IPSec singular benefit.
If one follows the docs, you forgot a loopback and GRE tunnel parts in your list 
.
Granted, no question. It’s just that after you factor your time in, it might net out cheaper to drop in a 2024 hEX.
you forgot a loopback and GRE tunnel parts in your list >
> .
I am planning my next MikroTik Solutions article: “Which VPN Sucks Least…and Why Is It WireGuard?” 
Can confirm. I accessed the ISP router. No public IP addresses sadly.
Those were two separate questions, port-forwarding and public IP. A good many ISP-supplied modems do give port-forwarding capabilities without needing a public IP. Alternately, a good many can be put into bridge mode, allowing your hEX to acquire the public IP from the ISP directly, easing VPN setup considerably.
Thank you very much for your effort to explain me something. I’m trying to learn by myself a lot of stuff, and its really hard. That could be the reason why some of my questions are “dumb” or look like “low effort” questions, or why some of my answers look like I’m easily ignoring something.
It is really the “without public IP” that makes any VPN solution complex, which be true of any router. If one side does have a public IP, now Wireguard (or IPSec) option be possible. This part be good to clarify: does ONE side of the purposed VPN get a public IP?
Otherwise, if BOTH side are behind a NAT (which also implies firewalls outside of your control)… you need something that “hole punching” (or know more about the specific NAT being used to manually setup ports). While ZeroTier and Mikrotik’s “Back-to-Home” (BTH) could be used to solve the lack of public IPs on both sides - they require a newer router. On this point, if you just got the hEX… I hope you got a good deal on it, since there is a newer version of the hEX that does support BTH and ZeroTier that just come out.
Oh, I see. hEX refresh. Nice. Wasn’t aware of that. Thats amazing.
Hi Monty,
Yes depending upon MT device, even if you dont have any public IPs, you can use BTH to connect single devicesto your MT router.
BTH will NOT provide new HEx router to new HEx router connection over wireguard. Only single devices like phones and laptops to either one of the two.
TWO options really"
One option is to buy two new MT HEXs and then you should be able to use zerotier to connect the two sites.
With the current hexs, you stil can do wireguard if you do rent a server in the cloud and buy and put a CHR RoS license on it.
Really??
Show me how to use DDNS on a non-public IP scenario (behind an ISP router as well.
Always looking to learn new tricks.
My bad.
You are correct, using DDNS you do need one (but it does not need to be static) public reachable IP.
My home IP was public reachable (still is), SXT device was behind CGNAT.
It still be good to know the @Monty995 actual WAN situation. It could just be a terminology, like one side may have a dynamic public IP & in which case… adding DDNS would work for Wireguard.
e.g. Folk are reading a lot of from the title, which may not be 100% what’s going on. Now perhaps it 100% right, but confirm the exact sitution would help a lot. We also know it’s older hEX without ZT or BTH…
So @Monty995 can you check in /ip/address (like for “ether1” interface or whatever port the internet is using) to see if the address starts with 10.x.x.x, 172.[16-31].x.x, 192.168.x.x, or 100.[64-127].x.x. If it’s anything else, then you have a “public IP”. If both end are in those range, then yeah, you need something else in the middle - like BTH or ZeroTier which are not support on MIPS CPUs.
I think I was specific enough AMMO, I asked already if the ISP devices got public IPs themselves and also if they could port forward to his MT routers from them.
Even if you could dyndns, if no port forwarding you would be poop out of luck 
However its worth it to double check as the response to → do both have private IPs, his response really didnt make it clear LOL
Quote: “Can confirm. I accessed the ISP router. No public IP addresses sadly” unquote.