Hello everyone,
I would like to ask you for your help

I need to connect company LAN to several remote sites, as I tried to show in the picture. Every remote site contains one industrial unit, controlled via its own web server/interface. To access it by default, PC user logs on locally using web browser, initial page starts plugin which has to be pre-installed on the PC (so it’s not only http traffic, several TCP/UDP ports are involved). Unit IP address is configurable, but only in the private, 192.168.120.0/21 range (default 192.168.123.10).

“Need to connect” I mentioned before specifically means: in order to remotely monitor/control remote units, users need to access their web interface from company LAN.
Internet connection for remote sites is provided via GSM network, using industrial grade high speed, Linux based, GSM routers (not Mikrotik). GSM ISP provides dynamic, private IP addresses only (10.38.0.0/16 range). It seems to me that some kind of VPN tunnel from each GSM router to HQ would be the way to go. These routers have GRE, IPSec, OpenVPN, PPTP and L2TP sections in their VPN options.

I was wondering if anyone here perhaps has situation like this already in operation? And how was it configured?
If not, what would be the best (or easiest) way to implement something like this.

Thank you
Regards

GSM router, as VPN client connecting to mikrotik WAN static IP VPN server.

I do not really understand the essence of the question.

In the picture above, enable LAN users (located on 192.168.0.0/21 network) to see web interface on remote units (192.168.123.10, 192.168.124.10,...), using GSM routers to provide Internet connectivity for remote sites.

make VPN connection on GSM routers to mikrotik' router, and add route to destination subnet

p.s.: i hope WAN ip address are static and WAN address

Sure. GRE? IPSec? GRE over IPSec? etc, etc I've been reading about various scenarios here on the Forum and haven't been able to find one close enough to my case. Some require static (or public/static) addresses at both ends, some do not support non-TCP traffic,...

WAN IP addresses:
- HQ LAN yes -> static, public address
- remote GSM routers, no -> dynamic, private addresses

non-TCP traffic - what traffic you need ? ?

as I said before, create a VPN between a modem and a mikrotik. (GSM modem will be as client) , i prefered to use openvpn

and add routes between modems and mikrotik know where the subnet.

Non-TCP: Not sure. Initial web page (after successful user authentication) starts proprietary plugin, which I'm pretty sure uses UDP as well.
OK, I'll try with OpenVPN.

Thanks Poizzon

Following Poizzons advice, using mainly „OpenVPN for Dummies“ 1 / 2 and MTs "Open VPN“ wiki I was able to configure HQ router as a VPN server and first (test) GSM router. Reading and searching various steps as I progressed, I was somewhat surprised to see limitations in MT’s Open VPN implementation (no UDP/compression) and, even more, no GUI for OVPN server (my default MT configuration tool is Winbox and this is the first time I’ve stumbled upon such a situation).

Anyway, current situation is: GSM router reports that tunnel is established, my CCRs log displays ovpn, info message "TCP connection established from...“, but I don’t know where to "point“ the route as ovpn-server is not present among interfaces. I tried defining ovpn-server-binding but it does not report established connection.

Help, please

Thanks