I am running a VPN on my host machine and downloading some stuff in the Whonix virtualbox. When I look at Nethogs and Netstat it appears as if Whonix is connecting to Tor directly from root and side stepping my VPN. It has a root user and no Dev tun0. Am I interpreting these screens correctly? The port 7770 connection is openVpn, so that looks okay. See screens ibb(.)co/zHPRvLt
No, but maybe VirtualBox has. Whonix is just a VM without special privileges. If VirtualBox leaks then also other things will leak.
Any leaks you can blame on your non-existent or broken VPN fail-closed mechanism.