MikroTik

Of course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topology.

Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.

So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.

@Mehrdadx

A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.

PPPOE ?

No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.

viewtopic.php?t=182340

Yes, It could be secured with IPsec.

Yes, It could be secured with IPsec.

One side has to have a public IP address.

I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.

The office is behind Starlink with carrier grade NAT.

Connection has been running for months at this point.

The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.

The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the gateways. And there is only a limited number of public addresses available. Plus SSTP only works on computers, not on mobile phones, limiting the practical usability, but that's no difference to GRE and IPIP.

Unless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR.

But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).