Ok, took some time to test and it seems to work. I can winbox over a vpn tunnel to another Mikrotik device.
Here are the steps I took. (This assumes you disable your filter drop rules during the VPN creation process so you then know how to filter out unwanted inbound internet traffic later, I'll explain why in a minute. )
Main Router (VPN Server)
IP>Cloud>DDNS Enabled Checked>Update Time Checked>Copy and paste the DNS name somewhere easy to get to. You'll need it later. >Click OK.
PPP>Profiles>Add profile>Name= vpnServerProfile> local address= 10.10.20.1>Click OK
PPP>Secrets>Add Secret>Name=<AccessPointIndenity> (however you will identify this particular access point)>password=<supermegacoolpassword1>(you get the hint, use something standardized for your vpn users)>profile=vpnServerProfile>RemoteAddress=10.10.20.51(this will be the static IP for your first access point that will be connecting)>Click OK
PPP>InterfaceTab>PPTP Server>Check Enabled, make sure your max mtu/mru are at 1450.>Default Profile=vpnServerProfile>Check MsChap2 & MsChap1>Click OK.
Your VPN server is live and should be able to accept VPN connections that match your profile & secret.
Remote Router (VPN Client)
PPP>Profiles>Add profile>Name= vpnClientProfile> Click OK
PPP>Interface>Add PP2P Client>Name=PP2PClient>Dial Out Tab>Connect To:<MainRouterDNS-NameYouCopiedEarlier>user=<AccessPointIndenity>password=<supermegacoolpassword1>Profile=vpnClientProfile.
DO NOT CHECK ADD DEFAULT ROUTE. >Check MsChap2 & MsChap1>Click OK.
With any luck, your VPN connection should be live. You can verify this on the VPN sever>PPP>Active Connections
Now, if you want to be able to Winbox into that remote VPN Client, and your laptop is connected on the lan of the vpn server. You'll need to add a static return route.
On the VPN Client router>IP>Routes>Add New Route>Dst Address should be the LAN address of your VPN Server (Mine is 192.168.88.0/24 for example).Gatway=PP2PClient>Click Apply and you should see 'reachable'>Click OK
At this point, you should be able to Winbox to the VPN Client via the VPN Client IP (10.10.20.51). Voila.
Repeat the Secrets on the VPN server as many times as you have remote access points, and then just follow the Remote Router (VPN Client) setup.
Now here's a security warning. A) PPTP isn't the greatest encryption, but that doesn't matter to me for the most part for a scenerio where I'm only connecting to mikrotik devices for 'routine checkups'. B) Your firewall rules. You need to have something. However because your mobile provider doesn't give you public IPs, you're going to have to use DDNS. Turn on the built in DDNS on each AP. You'll need to put all those DDNS names in a spreadsheet/text file and use a script to resolve them every 30 minutes via the VPN Server router. Once resolved, those IPs would be added to a Firewall Address list with a timeout of 00:29:58. This way every 30 minutes, the address would time out and then new resolve the name and start the process over again. You can multiple IPs in the same address list name (multiple separate entries). You would then add this Address list to the Input Drop Rule (In Interface=Wan ether) > Advanced Tab>Src Address List= address list name>Tick the box to the left of it. This is a 'not' or exception box. >Action Tab>Action=Drop>Click OK
***Only Do this if you're DIRECTLY connected to the router, because if you miss a step or fat finger in THIS specific drop rule, you risk the chance of blocking yourself*** So basically in your input drop rule would drop everything inbound via the Internet will be blocked EXCEPT for your Address list (which is dynamically being updated by a script which is being called by the scheduler.)
I don't have the script available. However, I have scene a few resolve>address list scripts around. If I find one, I'll post it.
That's the only thing I need. I know next to nothing regarding VPNs.