Reasonably secure TOR use, assuming no VM hypervisor vulnerabilities (not at all a given): Run one VM in the normal NAT'd/bridged address space. This VM has access to the internet, and runs the Tor ...