Certbot doesn't support this out of the box, but it's certainly possible. I outlined a sketch of how to do it in this post: Automated deployment of key/cert from reverse proxy to internal systems - #4 by _az
You'd have to customize it to issue a wildcard certificate, which means you'd also have to use DNS-based validation.
If you can set up a reverse proxy (such as nginx or haproxy) on the router to listen on ports 80 and 443, sure. That's mostly up to whether your router supports it.
Consider also setting up a reverse proxy server inside your network, forwarding ports 80 and 443 on your router to it, and then handling SSL there. That would be the sanest solution that avoids copying certificates around.
Unless you have a lot (20+) of hostnames, you could just also use one certificate per hostname, running Certbot on each server. It's the most reliable solution and the simplest too.