The STUN server gives you as client your external IP. If you are connecting to eg. Abdul Ahmed in Katar, Ahmed needs to what’s your external IP to connect directly to you, vice versa you need his external IP. Changed are theese IP’s between the Clients via SpreedME.
If you are behind a Firewall and don’t have activated UPNP or using a HTTP-Proxy you need a TURN-Server (I would try it first without). The TURN server is the “man in the middle”. Both clients connecting to the TURN server, if one of them is behind a NAT or Proxy. The DTLS session keys, given from the SpreedME server, are protecting the integrity and authenticity of the communication. But the TURN-Server can log the metadata (Who connected when to which destination).
So to answer Q2 and Q3:
It doesn’t matter if you have a static IP or not. The Other WebRTC-Client needs to know your IP and must can establish a successful connection to the other client. If not you need a STUN/TURN server. I need to use a STUN server, my config is:
stunURIs = stun.spreed.me:443 stun:stun1.l.google.com:19302 stun:stun2.l.google.com:19302 stun:stun3.l.google.com:19302 stun:stun4.l.google.com:19302
Of course the STUN server can log metadata but it is just “Client XY asked at 15:34 for his own IP” so worthless for the provider (or secret services).
I found a nice picture about STUN servers: Signallingserver and Webserver = SpreedME
To commend Q3:
I would use apt for installation (better to update). Docker does also work, but you have to update manually (correct me if wrong).
Hope i could help…