Taking into account the dynamics in addresses, it is best to use l2tp tunnels.
First, you raise the l2tp server, set up secrets and transit addresses (these are the ones that will be used for the tunnels themselves). Then, from the side of the additional office, configure l2tp-client and add a route to the Head office network through the address where the gateway will be the address of the Head gateway in the tunnel. At the head office, do the opposite, route to the branch network, where the gateway is the branch address in the tunnel.
The final touch is to exclude such traffic from NAT on both devices (if it happened to be there by accident or on purpose).
The entire network has been built. The pings are moving.
Now encryption. On the head, you raise a peer with the address 0.0.0.0/0, set the option for generating policies. Edit the default template on the Policies tab and instead of All in the protocol field, change it to udp and set the port to 1701 - this will eliminate the chance of blocking the central router by accidental misconfiguration from the "add-on" side - the option for generating policies is dangerous. You set up the feast and proporsals to your taste, the main thing here is symmetry - they should match at the head and dopa.
The last thing for encryption is to create a peer on Dopa in IPSec and add policies. The type of policy in your case will be something like this
Src Address = SA Address = Public IP of the Additional Office (which is now)
Dst Address = Sa Address = Public Static IP of the Head.
The tunnel checkbox is not worth it.
If everything is encrypted and the l2tp tunnel is established, it remains only to solve the problem with the dynamics in the IPSec policy of the branch, since the address will change, it also needs to be replaced in time.
Here is the finished script - wiki.mikrotik.com/wiki/IPSec_Policy_Dynamic replace in the find script with the specific policy number (in your case "0") and run it once a minute through the scheduler. I think you need to debug it first on a local device, but in general, if you administer such a network, you'll figure it out =)

Make gre-tunnels between points and the center - a minimum of setup and overhead. On top of them, configure routing as you like - at least ospf, at least static.
It is possible to differentiate access by routes on remote points and simple acl.
Forget about eoip - this is not your case.
If security hunting - you can lift ipsec and already gre on top of it.
UPD: oh, I saw that you have dynamic addresses on wan there - it's sad.
In this case, instead of gre - l2tp

I do not advise you to drive ethernet over vpn (unless you have some old school sip there).
ovpn is more stable, l2tp is easier. it is customary to do l2tp+ipsec. in your place, I would immediately look after a microtic with hardware encryption as a server.
the beauty of ovpn is that you can hang it on any port, in particular, I use 443 - it will crawl through almost everywhere.

Dynamics in the address is not such a big problem one line of the script
/interface gre set "the tunnel where we put the dynamics" remote-address=[:resolve "my favorite host"]
and into the scheduler at an interval as you like.
Gre+OSPF+IPSec is the best choice.

l2tp/ipsec are configured like this: nixman.info/?p=2308. About setting up l2tp / ipsec between two microts is on the microtik wiki, it starts up for one or two.
Well, then set up statics in the direction of HQ (maybe not even a default, if you don’t want to load VPN vkontaktik from branches), on the head router you resolve the firewall, who and where can go.

The best instruction (+ video) on Setting up L2TP on MikroTik to combine offices ... .
For a cheap L2TP + IPSec organization, I recommend paying attention to Mikrotik hEX (RB750Gr3) with a powerful processor and IPSec hardware acceleration. More expensive models with hardware encryption can be installed in the Central Office.