Just select to use host only routing with virtual box, the default virtual network adapters internal address is 192.168.56.1 configure Torrc for Tor on the host : SocksListenAddress 192.168.56.1 SocksPort 9100 after the virtual machine with that network adapter is started the virtual network adapter comes into existence, and at this point you can launch Tor. Now from inside the VM you can configure applications to use 192.168.56.1:9100 for SOCKS connections. Now it is not possible for the virtual machine to access the internet other than via the Tor on the host, and additionally even if the VM is rooted by a hacker they only get an internal IP address and not your external IP address. They are also kept away from Tor entirely, as it runs on the host, and so they cannot see your entry guards to deanonymize you by fucking with Tor. Thanks to the browser bundle bullshit you will need to either compile Tor Browser (pain in the ass) in the VM independently of its bundled components, or you can configure browser bundle Tor in the VM to use Socks5Proxy 192.168.56.1:9100 which causes the Tor in the VM to connect via Tor on the host, this is enough for an internet connection and for the bundled Tor Browser to launch, then you can either use Tor Via Tor (which can have unintended effects on anonymity when connecting to clear net but shouldn't have risk of being detrimental if you only connect to hidden services) , or after Tor Browser pops up you can configure it manually to use the Tor on the host. But you still need the Tor in the VM running even if you don't use it for anything, because Tor Project cares more about hand holding noobs than they do offering independent tools for experts to configure into superior to default setups.