at each pump site you'll create a new subnet, eg 10.0.X.0/24 and configure ip tables to do NAT between 10.0.X.0/24 and 192.168.5.0/24.
on your central server you'll setup a route to 10.0.X.0/24 via the VPN. Ignition will be configured to read each PLC at 10.0.X.2 which will be routed to the appropriate site and translated to 192.168.5.2.
I haven't used wireguard or open VPN so can't comment on what they can or can't do. I wouldn't have thought hundreds of VPN connections would be a problem for a modern server - how much ram and CPU can each one use if all it is doing is reading a PLC once a second - so maybe the transfer rates are 1 kbyte/s tops?
I would personally use a commercial product VPN appliance that can support 30-60 VPN connections per box and a VPN client device at each pump station that can do the subnet NAT. That way this set up won't be your baby for life, when you get bored of upgrading linux kernels, find a new job, or have another 20 projects under your belt you won't be getting calls from whoever has taken over support of a home-brew ignition VPN network cobbled together with IP tables and open vpn.
It's awesome that you can make it work with open source software and practically free hardware, but every time i've deployed a linux server in a remote plant that had nobody around who knew linux it was a major pain in the *** eventually, even moreso when I moved jobs and then the poor folks were left with all this **** they didn't understand. whereas if i'd used an off the shelf product there would have been a manual, a support line, other people familiar with the product, a newer drop-in replacement compatible version of the product when the old ones start dying (nothing lasts forever) or a new site is added that they need to integrate.
I also understand you might have budget constraints.