In theory it's possible.
In the case of VPN tunnels, it would be enough to create 3 different WireGuard instances pointing to 3 different end-points (VPS) with different allowed IPs. The only differences in configuration would be to configure a different listening port on the RUT360 for each WireGuard instance (for example port 51820 for Tunnel1, port 51821 for Tunnel2, port 51822 for Tunnel3), as well as point that specific instance to desired VPS. The most important part is to make sure the IP addressing does not duplicate. Also, make sure the listening ports do not get mixed up on the RUT360 side and on the individual VPS side because in the "wg0.conf" file (on VPS), at the very bottom there is a line "Endpoint = 0.0.0.0:51820" - change the port according to the listening port on RUT360 for specific tunnel instance. Also, naturally, slight modification in rules is necessary (for IP addressing) and completely different private/public key pairs must be used for each tunnel.
Regarding the external port forward part on the router - this is where a potential issue might arise. Unfortunately, I cannot give you a definitive answer because this is more of a Helium-specific thing but as far as theory goes, the current requirements in Helium network documentation (for the "Relayed" status) require the external port to be 44158 which, technically, will be true. When creating a new port forward rule, I highly recommend setting the "Source IP" for each rule to respect and forward packets to a specified miner only if it's incoming from the correct VPN tunnel. For example:
VPN tunnel 1
Interface "wg0" of VPS #1 IP: 10.0.10.1/24 | RUT360 WireGuard interface listening on port 51820, tunnel IP: 10.0.10.2/32 | Firewall rule:
Source zone: wireguard
Source MAC address: any
Source IP address (incoming IP in packet header): 10.0.10.1
Source port: Any
External IP address (matching IP of the listening interface): Any, but can be set to 10.0.10.2 to further specify the forward rule
External port: 44158
Internal zone: lan
Internal IP address: [LAN IP of device #1]
Internal port: 44158
Same goes for every other port forward rule, the only differences would be in the Source/External IP addresses.
VPN tunnel 2
Interface "wg0" of VPS #2 IP: 10.0.20.1/24 | RUT360 WireGuard interface listening on port 51821, tunnel IP: 10.0.20.2/32 | Firewall rule:
Source zone: wireguard
Source MAC address: any
Source IP address (incoming IP in packet header): 10.0.20.1
Source port: Any
External IP address (matching IP of the listening interface): Any, but can be set to 10.0.20.2 to further specify the forward rule
External port: 44158
Internal zone: lan
Internal IP address: [LAN IP of device #2]
Internal port: 44158
VPN tunnel 3
Interface "wg0" of VPS #3 IP: 10.0.30.1/24 | RUT360 WireGuard interface listening on port 51822, tunnel IP: 10.0.30.2/32 | Firewall rule:
Source zone: wireguard
Source MAC address: any
Source IP address (incoming IP in packet header): 10.0.30.1
Source port: Any
External IP address (matching IP of the listening interface): Any, but can be set to 10.0.30.2 to further specify the forward rule
External port: 44158
Internal zone: lan
Internal IP address: [LAN IP of device #3]
Internal port: 44158
Let me know if you need additional guidance regarding this request.
Best regards,
Tomas.