I wrote up a blog post about rolling your own remote access with screenshots here: Thaea Software – Creating smart network solutions for MikroTik if you don’t want to rely on MikroTiks DDNS based on mynetname.net. Bonus: it works with NAT and doesn’t require public IP! Hope this helps - let me know if there’s questions/comments!
I use a main VPN concentrator with CHR on VMware vsphere on a @OVH cloud solution as well as a 2 fail overs on a CHR on a dedicated server and also a physical Mikrotik RB, all in a datacenter.
For Europeans with small scale MikroTik VPN concentrator needs. Take a look at www.fusa.be, you can buy a RB from them and they will preconfig and colocate it in a datacenter. Or you can even ship one to them. All this for a very affordable price and a fixed public ipv4 and ipv6!
Remember. Leaving the winbox port open is BAD. Always use vpn to connect to your MikroTiks!
I can vouch for Marc and the remote winbox team. I’ve been using that software for MSP for almost a year I think and it is PHENOMENAL! it has the essential features and they are always looking for ways to make it better while keeping it efficient. They also have an on prem option.
Customer MT RB are all simultaneously connected to each concentrator and if the case, to their other infrastructure or RB. For some customers I deployed their own vpn concentrator as they have site to site traffic passing through. For management only purposes it doesn’t take that much resources. If one falls I can still connect to each RB via the other concentrators.
That way I can manage RB in Madagascar, France, Belgium…
For Madagascar it will be next level when they will finally have Starlink Internet.
How are you keeping configuration in sync?
How are you handling the failover?
Exactly what hesiodus is saying - if the VPN concentrator is NOT the default gateway then the only traffic that goes over is very small hello/keep-alive packets and whatever you use when you remote in (SSH/Winbox - usually less than 1Mbps in the long run). Very lightweight.
The only thing that changes in the config is actually the fact that to be able to route, the vpn concentrators have different ip addresses, for example I use 172.16.11.101 for customer 1 on concentrator 1 and 172.16.12.101 on concentrator 2. That way I can still connect to customers.
On customer routers I just change distance to 2 3 and 4 in the routing table.