Am looking at using mikrotik devices to do some site to site VPN(branch to branch) but from all the tutorials/blogs that am looking at it seems that i need static public IP's to perform the configurations.
I have 58 branches spread across, does it ideally mean i need 58 public IP's?
Am just looking for clarification or maybe a solution of how i can go about this either using wireguard or Ipsec.

Thanks.

Yes, 58, while local networks are typically private IP, every working Internet site has at least one dynamic or static public IP.

VPN can work with dynamic IP but not without public IP otherwise a connection to public Internet just doesn't work.

IMO 58 sites is potentially complicated. Study carefully which sites need to connect directly.
A hub and spoke model has fewest site to site connections; static public IP at hub is simpler.

Yes, 58, while local networks are typically private IP, every working Internet site has at least one dynamic or static public IP.

VPN can work with dynamic IP but not without public IP otherwise a connection to public Internet just doesn't work.

IMO 58 sites is potentially complicated. Study carefully which sites need to connect directly.
A hub and spoke model has fewest site to site connections; static public IP at hub is simpler.

If only mikrotik could support dynamic dns then setting up 58 sites would technically be easy.

IMO that conclusion is premature. If we look at RouterOS OpenVPN documentation, only the client requires an IP address. https://help.mikrotik.com/docs/display/ROS/OpenVPN

Let's choose one site as the "hub" - as long as hub router is powered up, it's public IPv4 address is unlikely to change; it just keeps renewing it's lease.
Worst case, order a static address for hub site which can be a centrally located cloud server. The "spoke" sites don't need a stable public IP address.

You don't need a public static address for each branch. Depending on your needs you can get it setup with only 1 location having a static public address eg the Head office.

Setup the VPN server at the head office and connect all the clients to it. for 58 branches you can setup OSPF or BGP to redistribute the routes between them.

You can also look at using wire guard for the VPN or you can do good old l2tp with ipsec

Not all VPN setup need static IP addresses. (See SSTP, PPTP, OVPN, etc ... they at least accept a DNS FQN for the server in the "connect to".)

Clients certainly don't need a static IP, if they initiate the connection to the server. They can even be behind multiple NAT routers and use load balancing. (failover)
Once the VPN is set up the communication is bi-directional.

Even the server can be Dynamic DNS defined with a variable IP address like on xDSL or home cable modem.
And each MT router already has a Dynamic DNS entry with Mikrotik. See "IP Cloud" and DDNS setting.
Other DDNS services (like No-IP) can be used as well.
The VPN server can be behind NAT, but then the VPN server port needs to be DST-NAT forwarded. (ISP must either give a public IP or allow for this.)
When the IP address of the VPN server connection changes, the VPN is dropped, and the client reconnects.

(I use 2 VPN servers on 2 different ISP even in different locations, with dynamic DNS, for continuus connection for and between the VPN client MT routers)

Using Wireguard you only need 1 static IP to use as endpoint for all peers, e.g. on head-office (and even that 1 static IP can be dynamic using e.g. Mikrotik's own Cloud Ip DNS service provided that location allows port forwarding but this might complicate things a bit, especially when DNS service is unable to resolve DynDNS name).

All the peers may even be hiding behind CGNAT, it will work. But you need 1 static or dynamic IP. You could even use a public service as pivot point ? Then everything can be behind CGNAT.

@holvoetn : Do you update the dDNS IP address in the MT Wireguard config, when the address has changed? Scripted ?
New world here. Is indeed very convenient, works flawless when you found how to configure specific client devices, like Windows ( https://www.makeuseof.com/how-to-set-up ... d-windows/)
What extra services , like "Tailscale" can/should be used for (dynamic)DNS based setup?

@holvoetn : Do you update the dDNS IP address in the MT Wireguard config, when the address has changed? Scripted ?

I use the Mikrotik Cloud DynDNS service as in <serial>.sn.mynetname.net.

It's all peers with WG but let's for simplicity sake talk about server and clients.
Clients connect to server with dynamic name as endpoint.
On server side, you do not set an endpoint. The clients initiate the connection when dialing in.
If/when that ip changes, wireguard usually resolves on itself since it will detect another IP being used for the communication.
That's how wireguard works. Even when you set up a cell connection while driving with your car, hopping from base station to base station, even hopping from provider to provider, even crossing borders, ... guaranteed your client device changes IP addresses a couple of times.
I already did that when driving home from France (wife was driving, I was on the passenger seat with cell phone as hotspot and laptop connected via WG to home).
Only when cell was really acquiring a new IP address, connection was temporarily lost. But then traffic starts flowing again.

I also had a CGNAT client connection in a vacation house in France (now sold, so bye bye France). On that device (SXT LTE6) I effectively had a script with netwatch to toggle peer status (re-initiating DNS resolving) when connection was down. Usually that's only needed at boot time when WG interface starts before DNS resolving is active since again, wireguard is pretty good at re-resolving all that on itself during normal operation.

Thx ... aha ... endpoint-address field accepts DNS not only IP address ... .
My tunnel thinking :-/

Thx ... aha ... endpoint-address field accepts DNS not only IP address ... .
My brain fried on wifi waves :-/

Fixed it for ya!

I have 58 branches spread across, does it ideally mean i need 58 public IP's?

Other than if these 58 branches have internet connectivity they much have a public IP somewhere along the way, otherwise they would not be able to connect to the internet.... But I presume this is not what you are getting at, and what you mean is Static Public IP Addresses?

A more full answer would be that only one site needs a "Static Public IP" so that all the other sites can connect to that site, and as someone else said then use OSPF to make your life a little bit easier when it comes to the routing (so you don't have to put static routes in everywhere). You can manage using only a Public IP (not static) at one of the sites, and use Dynamic DNS. But I would suggest that this is not ideal for reliability.

You CAN also do this is none of the sites have a directly attached public IP (e.g. if every site is behind CGNAT) by putting a virtual Mikrotik router with any number of cloud providers (Azure or AWS would be the obvious choices) and then using that as a peering point for all the remote sites.

Wireguard is probably going to be easier for this type of config.

Hope this helps.

Thanks everyone who has commented. I technically now have an idea on how to go about plus have received more information from client that not all sites need to talk to HQ just a few branches that need to talk to each other exclusively, maybe much later is when they will need to all talk to the HQ. Other than that the clarity is satisfactory!
Thanks.