Using RouterOS 7.8 at both ends, I came up with one possible solution: EoIP (without encryption) over WireGuard.
It works but is not very fast, with gigabit LAN between RB5009 (server) and RB760 (client) I get only about 100 Mbps. I’ve read somewhere that EoIP is slow.
On the RB760 client one CPU core gets 100% load during Btest. Is there a better way?
The tunnel needs to be transparent (including VLANs with baby jumbo frames, like RFC4638 PPPoE: 14 bytes Ethernet header + 4 bytes VLAN tag + 8 bytes PPPoE overhead + 1500 bytes data = 1526 bytes full frame without CRC), work with bridge VLAN filtering (so no PPP BCP - or was that limitation removed)?
Would using IPsec (HW accelerated) be faster than WG, and could that be made to work with client side behind NAT (dynamic IP, possibly double NAT and any other badness not under my control)?
Would be good if any packet fragmentation only happens at both ends under my control, and not in the ISP’s network in between.
The idea is to replace my slow wireless link with something faster until fiber can be leased properly (which takes months), while keeping my services (static IPv4 and IPv6 over PPPoE with RFC4638) and no changes at customer side except one additional RB760 box connected (ether1 as DHCP client to the FTTH router, ether2 bridged over the Internet to my PPPoE server as an access port on one VLAN, management of my box on another VLAN so no need for port forwarding etc.).
So I reduce the WG MTU from default 1420 to account for possible PPPoE somewhere in between, and increase the EoIP MTU to 1512 to account for my PPPoE and VLAN headers. Large packets will be split in two, but should travel over the Internet undisturbed as normal UDP without fragments.
Would he happy to replace RB760 with RB5009 at the client side, but they are more expensive, and out of stock everywhere anyway.