Nicely done! One suggestion though: it would make much more sense to use Mikrotik hardware instead of the RPi. While I love everything RPi related, this might not be the perfect job for it (especially for the Zero).
Nowadays even the most affordable Mikrotik routers support Wireguard out of the box. hAP for example is more or less equally priced as RPi Zero, while being more powerfull and you don't have to worry about SD card corruption (which happens regularly when using swap all the time) or other stability issues. It's also easier to setup as you have a GUI and a ton of tutorials on this subject already.
Having said that, keep up the good work, I'm looking forward to part 2 of the series!