You need to be root to install or replace Tunnelblick or to install configurations.You can replace safe configurations without being root if allowNonAdminSafeConfigurationReplacement is set. (Note the word "Replacement".)
My earlier comment that standard users cannot install safe configurations was incorrect. They are able to do that.
If you need your users to be able to install configurations that are not safe, then Tunnelblick is not for you. (And you are enabling them to execute programs as root.)
But… I think the problems you've seen will only happen if Tunnelblick is not relaunched after the forced-preferences.plist file is created or modified and/or if it does not have the correct ownership and permissions. That's a bug which will be fixed in the next beta version of Tunnelblick.
Until then, your script should do the following:
The user should be then able to install and/or update safe configurations without entering admin credentials.
If that doesn't work, please provide the script you use and the output when the script is executed.