I think we have a winner! Adding the port forwards within OpenWRT finally allowed access to the sites. I will explore more on the OpenWRT side to see if other options are available as I was hoping to avoid exposing ports. Caddy docs said DNS challenge would not need to expose ports.
“This challenge does not require any open ports, and the server requesting a certificate does not need to be externally accessible.”
config redirect
option name 'HTTP-Forward'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip 'x.x.x.x'
option dest_port '80'
option target 'DNAT'
option proto 'tcp'
config redirect
option name 'HTTPS-Forward'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip 'x.x.x.x'
option dest_port '443'
option target 'DNAT'
option proto 'tcp'
Additional screen from advanced settings within OpenWRT port forward GUI:
