Hi everyone,
I have a network setup with two appartments:

• Appartment A has an internet connection (cable modem / router by AVM, which needs to stay), appartment B does not have a separate internet connection.
• Unfortunately connecting both sites via WiFi is not an option due to very poor connectivity.
• There is a wired Ethernet link between the appartments, but since physical access to the cable by strangers cannot be prevented, it is an untrusted connection.
• This connection needs to supply internet access for devices in appartment B as well as connect the devices of both appartments with each other.

I would like to secure the communication over this untrusted cable in a reasonable way using Mikrotik devices. I recently bought a hEX refresh (E50UG) for my first test and I might buy a second device if needed to create an encrypted tunnel. However I am not entirely sure, whether to use IPsec, Wireguard, MACsec or something else. I understand that the hEX has hardware acceleration for IPsec (which has a more complicated setup) and Wireguard or MACsec would run entirely on CPU.

Thanks in advance for your advice!

Try it and use the best for you.

I use macsec to secure an external cabled wAPax. Easy to configure and fast enough for me.

Ralf.

Concur, wireguard is good for two endoints where both are connecting to the WWW, in your case its only one end that as www access.
Here is a decent vid on macsec --> https://www.youtube.com/watch?v=8A5pt39nFfM&t=760s

Talking to a birdie, yes its very much possible to establish a wireguard connection between two hex refreshes, even if one does not have an internet connection.
When you said they have to talk to each other do you mean the subnets or at least one subnet on apartment B router has to be able to reach subnets or at least one subnet on apartement A router?
Typically if two subnets should have full access to each other, there is no need for them to be different. Typically however, its a matter of sharing a printer or access to a specific device or devices and thus diffferent subnets works, with firewall rules.
Or do you meant they should have a common shared subnet. This effects construction of bridge and routes etc.....