CF-Connecting-IP is what we recommend using.

See https://support.cloudflare.com/hc/en-us/articles/200170986-H... for details.

Which presumably only works if your site is using Cloudflare? Since you wouldn't be MITMing SSL in order to inject this header?

This is correct. It's significantly harder to inject the origin IP into a TCP stream. We have ways [1] of doing it, but it requires some coordination on both sides.

1- https://blog.cloudflare.com/mmproxy-creative-way-of-preservi...

Have you considered enabling this out of band? For example as a network administrator I could verify a CIDR block and receive a real time stream of 5-tuples (err, 7-tuples with the proxy?) destined to my network.

How can they do this?

Are Cloudflare going to be able to decrypt the TLS sessions running over their VPN between me and end-sites, so they can insert this additional HTTP header?

Doesn’t sound feasible.

When most of those sites are hosted by Cloudflare, they already decrypt the TLS session at their load balancers before forwarding the request to the remote endpoint.