Yes, but you might have to whitelist Paypal’s IP addresses as there still is some chance their requests might get blocked. Alternatively you could change the IPN URL to one which goes directly to your server, though that could leak your IP address.
Yes, it will. You will “have” two certificates in that case. One, your own, on your server and another one, Cloudflare’s, on Cloudflare’s proxy/edge servers. The latter one will not be under your control however and will be automatically renewed by Cloudflare. Both certificates are necessary for a secure connection.
Cloudflare wont redirect. It will replace your current nameservers and will return the addresses of Cloudflare’s proxy servers instead of your server’s. So you will have to configure your DNS records on Cloudflare and they will proxy/forward all requests to your server.