Microte has a wonderful ipip tunnel which adds ipsec when you type in a password.
In conjunction with OSPF - VPNs are built with a bang.
It can be a star, it can be cross, OSPF will rebuild everything itself, find the shortest route.

The most popular vpn implementations in microtia are described here https://serveradmin.ru/nastrojka-vpn-openvpn-l2tp-...
You can read and test it. I would advise you l2tp + ipsec. If you plan to grow branches, immediately set up ospf. In a simple configuration like yours, it's not hard. If there is definitely no growth, then it is possible without it. Write the routes with your hands once.

Although the question is old, I will unsubscribe, maybe someone needs it. I use L2TP + IpSec on Mikrotik with support for hardware encryption. Works stably. And never use the network 192.168.0.0/16 - they are only suitable for home, and even then, it is better to take the 172nd. For production networks, use 172.16.0.0/12 or 10.0.0.0/8. Then you need to make a VPN with a mesh of 192 subnets, in which you cannot change the addressing, you will get hemorrhoids :)

Keep in mind that the bottleneck of 99% will be the available micros - which ones you didn't write. Provider vlan saves you from this problem - you don't need to encrypt traffic.
And so - it is possible according to the classics, l2tp + ipsec

IPSec.
At the central office, a connection is configured for all branches, in the branch only the center. The politician, however, will have to be written on branch microticks according to the number of branches - on each, so that it is clear that the packets need to go there not in a tyrnet, but in a tunnel. All other traffic on branch routers goes to their ISP.
True, the central one must be with hardware encryption, otherwise a couple of tunnels will put it in the position of a company machine gun.

Set up a couple of offices on the simplest PPTP protocol, evaluate stability and speed. Then at any time you can rebuild to strong encryption, if necessary. Configuration script generator for necrotics - https://t-ev.ru/mikrotik_pptp/ , you can also find it there for ipsec.

If white ip from the provider is everywhere, build ipip. The easiest to build. You specify in the routing settings a route to the branch network through this tunnel on the main microtic and back on the branch one and everything works right there.
In general, first of all, read about routing, what it is, how it works and what it is for. For without knowing this, I see no reason to climb into all sorts of VPN tunnels. Then lift vpn, and why nothing works, you won’t understand.

I use EoIP for a bunch of offices. You can also attach ipsec to it. It seems like eoip has higher speed and reliability than l2tp.
It is worth considering that providers began to block gre.
The same pptp without gre does not work.
It is also worth understanding that now the provider vpn most likely has a separate speed. When you yourself begin to live, I think the speed will drop sharply. And the offended provider will close gre.
The output of sstp is on port 443. But it has no speed at all.
If there are white ip everywhere, then I would try eoip. If there are no white ones, then pptp is possible, but inside eoip. If they rise, then gre is working.

If it is necessary, I can send a config of already ready branches. 1 office of 9 branches work for me on them. No encryption, pptp, not IPsec.

They did a merger of branches, very similar to your case.
The provider organized everything for us, made an L2 level network without vpn, as I understand it, you also have L2 but with vpn.
You just need to organize a network between L2 level branches from the provider and take a tough position without vpn, the connection will be stable and fast. I do not recommend going towards the ovpn, pptp service ...

Here they advised ... to ask for an L2 tunnel from the provider ... and if the providers have different AS at different offices? how much does vpls tunnel cost
?
Sstp is what it is good for ... it will crawl through any nata. And he doesn't need gre. Just one office with a white ip is enough.
Everything is set up in a few clicks. If you need ipsec, then you need to think about whether it is needed? And if necessary, take Mikrotiks with hardware support for ipsec

And what so all bypassed ovpn??? As for me, it's a great solution and it works smartly. The business is to create certificates, set the grid to the tunnel, and register nat on clients.