Pangolin works with Cloudflare proxy (orange cloud) enabled, but requires specific configuration:
Terms of Service: Enabling Cloudflare proxy binds you to Cloudflare’s terms of service as traffic routes through their network.

SSL Configuration

Recommended setup:
  1. Use wildcard certificates with DNS-01 challenge
  2. Set SSL/TLS mode to Full (Strict)
  3. Disable port 80 (not needed with wildcard certs)
Pangolin will not work with Cloudflare’s Full or Automatic SSL/TLS modes. Only Full (Strict) mode is supported.

WireGuard Configuration

Since Cloudflare proxy obscures the destination IP, you must explicitly set your VPS IP in the config file: 
gerbil:
  base_endpoint: "YOUR_VPS_IP_ADDRESS"  # Required with Cloudflare proxy
1

Get your VPS IP

Find your VPS public IP address:
curl ifconfig.io
2

Update configuration

Add the IP to your config.yml:
gerbil:
  base_endpoint: "104.21.16.1"  # Replace with your actual IP
3

Restart services

Restart Pangolin to apply the changes:
docker-compose restart