Breaking someone's internet = bad
Fixing broken things = good
It's the starting from absolute zero I don't like, because configuring VPNs is not exactly beginner friendly. PPTP is probably simplest, but on the wire it's too obviously VPN. Same problem is with IPSec. SSTP or OpenVPN may, at least at first sight, look like HTTPS, but they need certificates, so again not best for beginners.
I'd say the simplest way is to use SSH tunnel with local SOCKS proxy. On router it means just enabling SSH and forwarding (it may even be like this by default, I'm not sure):
/ip service set ssh disabled=no
/ip ssh set forwarding-enabled=both
Next step is to allow port in firewall:
/ip firewall filter
add chain=input protocol=tcp dst-port=22
This rule needs to be moved high enough, before the one that blocks access, if there is such. If the router is going to be connected behind friend's router, it just needs a port forwarded from there to this router's port 22 (tcp, any number, probably best to forward several different ones and see which one will work). And that's it on this side.
Client then needs some SSH client like PuTTY (putty.exe from
here). Connect to address and port of remote router, but before that go to Connection->SSH->Tunnels and configure it to create local SOCKS server. Enter
Source port, e.g. 1080, select
Dynamic and click
Add. It will appear as "D1080" in the list above. Connect to server and if it works, it will create local SOCKS5 server listening on 127.0.0.1:1080. Configure your browser to use it and it should work.